Spain’s AEPD Fines Bankinter €240,000 Over 2024 EVO Banco Data Breach
Spain’s data protection authority (AEPD) has concluded its investigation into a 2024 cyberattack on EVO Banco, imposing a €240,000 fine on Bankinter after the lender absorbed EVO Banco through a merger. The breach, which exposed sensitive personal and financial data of over 1.27 million individuals, stemmed from an API vulnerability introduced during a system migration in February 2024.
The flaw, approved through EVO Banco’s internal change management process, removed access controls on an API used in customer onboarding, allowing unauthenticated queries to retrieve data. Between 23 and 27 March 2024, the vulnerable endpoint processed 5.47 million requests, with 1.27 million successfully accessing personal records. Exposed data included names, national identity numbers, IBANs, employment details, VAT declarations, and income levels far exceeding the bank’s initial characterization of the breach as limited to basic identifying information.
EVO Banco only detected the incident on 8 April 2024 after a third-party cybercrime monitoring service flagged a Dark Web post advertising a database of 1.3 million customers. The attacker, who joined the forum weeks earlier with minimal reputation, later demanded a ransom, publishing data for 958 clients and four employees when EVO Banco refused to pay. The bank filed a police report on 22 April 2024, though forensic analysis could not confirm whether the full dataset was exfiltrated.
The AEPD’s investigation identified three critical security failures: the API’s lack of authorization checks, unencrypted personal data, and a change management process that failed to test for access control vulnerabilities. While EVO Banco initially classified the breach as low-risk and declined to notify affected individuals, the AEPD intervened on 18 April 2024, ordering mandatory disclosures under GDPR Article 34.
The proposed fine of €400,000 was reduced to €240,000 after Bankinter acknowledged liability and paid voluntarily in November 2025. The AEPD cited aggravating factors, including the scale of exposed financial and identity data, but applied mitigations due to the merger, which transferred legal responsibility to Bankinter following EVO Banco’s deregistration in April 2025.
The case underscores the risks of inadequate API security and the limitations of internal risk assessments when financial data is involved. It also highlights the AEPD’s enforcement focus on data processing governance, with recent fines against Informa D&B (€1.8M), FC Barcelona (€500K), and Yoti (€950K) reinforcing its scrutiny across sectors.
Source: https://ppc.land/bankinter-fined-eur240k-for-evo-banco-data-breach-exposing-1-27m-records/
EVO Banco cybersecurity rating report: https://www.rankiteo.com/company/evo-banco
Bankinter cybersecurity rating report: https://www.rankiteo.com/company/bankinter
"id": "EVOBAN1777652813",
"linkid": "evo-banco, bankinter",
"type": "Breach",
"date": "3/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1.27 million',
'industry': 'Financial Services',
'location': 'Spain',
'name': 'EVO Banco',
'type': 'Bank'}],
'attack_vector': 'API Vulnerability',
'customer_advisories': 'Mandatory disclosures under GDPR Article 34',
'data_breach': {'data_encryption': 'No (unencrypted personal data)',
'data_exfiltration': 'Unconfirmed (attacker published data '
'for 958 clients and 4 employees)',
'number_of_records_exposed': '1.27 million',
'personally_identifiable_information': 'Yes (national '
'identity numbers, '
'names, employment '
'details, etc.)',
'sensitivity_of_data': 'High (financial and personally '
'identifiable information)',
'type_of_data_compromised': ['Names',
'National identity numbers',
'IBANs',
'Employment details',
'VAT declarations',
'Income levels']},
'date_detected': '2024-04-08',
'date_publicly_disclosed': '2024-04-18',
'description': 'Spain’s data protection authority (AEPD) has concluded its '
'investigation into a 2024 cyberattack on EVO Banco, imposing '
'a €240,000 fine on Bankinter after the lender absorbed EVO '
'Banco through a merger. The breach exposed sensitive personal '
'and financial data of over 1.27 million individuals due to an '
'API vulnerability introduced during a system migration in '
'February 2024.',
'impact': {'brand_reputation_impact': 'Yes (EVO Banco and Bankinter)',
'data_compromised': 'Personal and financial data of over 1.27 '
'million individuals',
'financial_loss': '€240,000 fine',
'identity_theft_risk': 'High (exposed national identity numbers, '
'IBANs, employment details, VAT '
'declarations, income levels)',
'legal_liabilities': 'GDPR violation, AEPD fine',
'operational_impact': 'Mandatory disclosures under GDPR Article '
'34, police report filed',
'payment_information_risk': 'High (exposed IBANs)',
'systems_affected': 'Customer onboarding API'},
'initial_access_broker': {'data_sold_on_dark_web': 'Advertised (1.3 million '
'records)',
'entry_point': 'API vulnerability'},
'investigation_status': 'Concluded',
'lessons_learned': 'Risks of inadequate API security, limitations of internal '
'risk assessments for financial data, importance of access '
'control testing in change management processes.',
'motivation': 'Financial gain (ransom demand)',
'post_incident_analysis': {'corrective_actions': ['Restored API access '
'controls',
'Forensic analysis',
'AEPD-ordered disclosures'],
'root_causes': ['Lack of API authorization checks',
'Unencrypted personal data',
'Inadequate change management '
'testing for access control '
'vulnerabilities']},
'ransomware': {'data_exfiltration': 'Attempted (attacker published partial '
'data)',
'ransom_demanded': 'Yes',
'ransom_paid': 'No'},
'recommendations': 'Enhance API security controls, implement encryption for '
'sensitive data, improve change management testing for '
'access control vulnerabilities, and ensure timely breach '
'notifications.',
'references': [{'source': 'AEPD Investigation Report'}],
'regulatory_compliance': {'fines_imposed': '€240,000 (reduced from €400,000)',
'legal_actions': 'AEPD investigation, mandatory '
'disclosures',
'regulations_violated': 'GDPR',
'regulatory_notifications': 'AEPD intervention on '
'2024-04-18'},
'response': {'communication_strategy': 'Mandatory disclosures under GDPR '
'Article 34 (ordered by AEPD)',
'law_enforcement_notified': 'Yes (police report filed on '
'2024-04-22)',
'remediation_measures': 'API access control restoration, '
'forensic analysis',
'third_party_assistance': 'Cybercrime monitoring service (Dark '
'Web post detection)'},
'title': 'Spain’s AEPD Fines Bankinter €240,000 Over 2024 EVO Banco Data '
'Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Lack of access controls on an API used in '
'customer onboarding'}