CaixaBank fined 5 million euros for data security breach
07 March 2024
The AEPD has imposed a five million euro fine on CaixaBank for a security breach that allowed its customers to view data on transfers made by others with whom they had no relationship. In particular, a customer received a notification about a transfer made by another individual. The customer filed the complaint after seeing in his user profile a document related to a transfer made by a third party to another unknown person (which contains numerous personal data, such as ID number, postal address, bank account number, etc.).
Pursuant to the AEPD's resolution, the potential impact of the incident could extend to all CaixaBank customers. Also, it asserts that CaixaBank did not respond appropriately to address the breach upon becoming aware of it, and even then, its solution was merely a patch, instead of implementing adequate security measures to protect the rights and freedoms of the data subjects.
CaixaBank plans to appeal the decision to the National Court, describing the fine as "disproportionate." The entity emphasizes that the situation was exceptional and that measures have been taken to prevent the recurrence of a similar incident.
Authors: Cristina Grande, Counsel; Carmen Gordillo, Associate
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.