CaixaBank fined 5 million euros for data security breach 

The AEPD has imposed a five million euro fine on CaixaBank for a security breach that allowed its customers to view data on transfers made by others with whom they had no relationship. In particular, a customer received a notification about a transfer made by another individual. The customer filed the complaint after seeing in his user profile a document related to a transfer made by a third party to another unknown person (which contains numerous personal data, such as ID number, postal address, bank account number, etc.).

Pursuant to the AEPD's resolution, the potential impact of the incident could extend to all CaixaBank customers. Also, it asserts that CaixaBank did not respond appropriately to address the breach upon becoming aware of it, and even then, its solution was merely a patch, instead of implementing adequate security measures to protect the rights and freedoms of the data subjects.

CaixaBank plans to appeal the decision to the National Court, describing the fine as "disproportionate." The entity emphasizes that the situation was exceptional and that measures have been taken to prevent the recurrence of a similar incident.

Authors: Cristina Grande, Counsel; Carmen Gordillo, Associate