Industry - Enforcement
Executive Summary
Spain's data protection authority fined Bankinter €240,000 after a cyberattack on EVO Banco (which Bankinter absorbed) exposed 1.27 million customer records in March 2024. The breach occurred when a system migration error removed access controls from a customer onboarding API, allowing attackers to successfully extract personal data including names, birth dates, national ID numbers, and contact details over five days. The bank only learned of the breach two weeks later when a third party repo...
What Happened
In March 2024, a cyberattack on EVO Banco in Spain exposed personal data of 1.27 million customers after a system migration error removed access controls from a customer onboarding API. Attackers exploited this vulnerability over five days, making over 5.4 million requests and successfully extracting data including names, national ID numbers, birth dates, passport numbers, IBANs, employment details, and income information. EVO Banco only discovered the breach two weeks later when a third-party service flagged a Dark Web post advertising the stolen database, and the attacker later demanded ransom, publishing data for 958 clients when the bank refused. Spain's data protection authority (AEPD) concluded its investigation in 2025 by fining Bankinter, which had absorbed EVO Banco through mer...
Who Is Affected
Over 1.27 million EVO Banco customers in Spain had their personal and financial information compromised, including highly sensitive data such as national identity numbers, passport numbers, bank account details, employment status, income levels, and VAT declarations. At least 958 customers and four employees had their data publicly posted on the Dark Web when ransom demands were not met. The breach generated ten formal complaints from affected individuals to Spanish authorities over the following year.
Why It Matters
This incident demonstrates how routine system changes can create catastrophic security vulnerabilities when proper testing and access control verification are not performed, exposing over a million people to identity theft and financial fraud risks. The bank's initial assessment that the breach posed low risk to individuals was overruled by regulators, who mandated customer notification under GDPR Article 34, highlighting the gap between institutional risk assessments and actual consumer harm. The two-week detection delay and reliance on external notification rather than internal monitoring reveals significant deficiencies in real-time security monitoring at financial institutions handling sensitive customer data.
What You Should Do
If you were an EVO Banco customer in early 2024, immediately check your bank accounts and credit reports for unauthorized activity, as your national ID number, income data, and banking details may be in criminal hands. Place fraud alerts with credit bureaus and consider freezing your credit to prevent identity thieves from opening accounts in your name. Monitor for phishing attempts that reference your specific personal details from the breach, and report any suspicious contact to both your bank and Spanish authorities. Change passwords for any accounts that may have used information exposed in this breach, and enable multi-factor authentication wherever available.
Summary generated from verified sources and reviewed before publication. How we summarize.