Spain's data protection authority has closed a long-running investigation into a 2024 cyberattack on EVO Banco, imposing a final fine of €240,000 on Bankinter, the lender that absorbed EVO Banco through a merger. The Agencia Espanola de Proteccion de Datos (AEPD) resolved the case under file reference EXP202406208, after Bankinter acknowledged liability and paid the reduced penalty voluntarily in November 2025. The decision, signed by AEPD president Lorenzo Cotino Hueso, represents the concluded chapter of an incident that began in March 2024 and generated ten formal complaints from affected individuals over the following year.

The breach and what triggered it

The attack originated in an API vulnerability introduced during a system migration at EVO Banco on 8 February 2024, according to information submitted by EVO Banco to the AEPD in June 2024. The affected API was used in the customer onboarding process - the path through which new clients apply for products on EVO Banco's web contracting portal. A change approved through EVO Banco's internal change management committee introduced an error that removed access controls on queries made to that system, meaning that requests could be submitted without valid user credentials and would still return data.

The window of exposure ran from 23 March 2024 to 27 March 2024. During those five days, according to the forensic report submitted to the AEPD by EVO Banco, exactly 5,473,299 requests were made to the vulnerable endpoint. Of those, 1,275,463 were successful, meaning they returned personal data. That figure is marginally higher than the 1.275.049 initially reported by EVO Banco in its breach notification, with the difference reflecting the forensic firm's more precise count based on recovered logs.

EVO Banco itself did not detect the attack in real time. The security team learned of a potential problem on 8 April 2024, when a third-party cybercrime detection service notified the bank that a post had appeared on a Dark Web forum claiming to hold a database of 1.3 million customers from an unnamed Spanish bank. The forum post dated from 30 March 2024. The attacker had joined the forum only weeks earlier and had minimal reputation. Still, analysts identified internal coding patterns in a sample of 10 records that matched EVO Banco's own customer identifiers. At that point, internal analysis began.

The bank's data protection officer was informed on 9 April 2024 at 21:30. A breach notification reached the AEPD on 13 April 2024. On 18 April 2024, the AEPD ordered EVO Banco to notify affected individuals under Article 34 of the GDPR, which the bank had initially decided not to do, having assessed the risk to data subjects as low.

What data was exposed

EVO Banco's initial breach notification described the compromised data as limited to basic identifying information: names, dates of birth, national identity numbers (DNI or NIE), passport numbers, and contact details. The bank also stated that no payment card numbers, account balances, passwords, or identity document images had been accessed.

The forensic investigation conducted by an independent auditing firm produced a more detailed picture. According to that report, the fields returned by the server in response to the malicious requests included names and surnames, DNI or NIE numbers, telephone numbers, economic regime data, IBAN numbers for bank accounts, product codes, information about contracted products, VAT declarations from the most recent tax year, years worked, employment status, and monthly income levels. The AEPD highlighted in its decision that the forensic record conflicted with EVO Banco's initial characterisation of the data as lacking financial or economic content.

The breach affected 1,275,049 individuals in total. These included current customers, former customers whose data remained in the system in a blocked state under Article 32 of Spain's data protection law, potential customers, and four EVO Banco employees. The AEPD's analysis estimated that the affected population represented at least 80 percent of all individuals for whom EVO Banco processed personal data, based on the bank's own records of activity volume across three affected processing categories.

The extortion attempt and data publication

Between 18 and 27 April 2024, the attacker made repeated contact with EVO Banco employees - including the bank's chief information security officer - threatening to publish data unless the bank paid a ransom. According to information EVO Banco submitted to the AEPD on 14 May 2024, "when EVO Banco refused to meet the cybercriminal's demands, the attacker escalated the intensity of the threats, indicating that it would proceed to publish part of the data accessed in the cyberattack in batches of 500 records per day. That threat was only carried out in relation to 958 affected clients and four employees of the entity."

EVO Banco filed a police complaint on 22 April 2024 with the Comisaria General de Informacion in Madrid, reference number 3202/24. The Brigada de Investigacion Tecnologica of the Policia Nacional had already contacted EVO Banco on 15 April 2024, having independently detected the Dark Web publication. After 27 April 2024, no further publications appeared, and the attacker described the matter as closed. Whether or not the full database was ever exfiltrated could not be confirmed. The forensic firm concluded that the data published in the Dark Web belonged to legitimate EVO Banco records and was consistent with data from the onboarding platform, but could not certify that all data returned by the server had been extracted by the attacker.

How the AEPD assessed the security failures

The AEPD's legal analysis centred on Article 5.1(f) of the GDPR, which requires personal data to be processed in a manner that ensures appropriate security, including protection against unauthorised access. The authority found that EVO Banco lacked adequate technical and organisational measures at the time of the breach.

Three specific deficiencies shaped the finding. First, the API validation process checked only whether the data returned was what had been requested - it did not verify that the requesting user had authorisation to access that data at all. Second, EVO Banco acknowledged in the breach notification form that the personal data was not encrypted, which the AEPD noted would have limited the impact of any successful access. Third, a change management review procedure existed but contained a gap: functional validation of API changes did not include testing for access denial to unauthorised users, which meant that the configuration error introduced in February 2024 passed through an approved change process undetected.

Penetration tests carried out by a contracted security firm in December 2023 had identified a medium risk level across certain authentication processes and generated a remediation list. The vulnerability that caused the March 2024 breach was not, however, the specific subject of that December 2023 assessment - it arose from a subsequent migration.

The fine calculation and Bankinter's position

The proposed fine before any reductions was set at €400,000, classified as a violation of Article 5.1(f) of the GDPR, typified under Article 83.5 as a serious infringement carrying a maximum penalty of €20 million or 4 percent of annual global turnover, whichever is higher. For Bankinter, whose pre-tax results for 2024 stood at €1,360,000,000, the 4 percent ceiling was calculated at €54,400,000.

Aggravating factors included the scale of data processing inherent in a financial institution - ongoing collection of identification, financial, employment, and tax data across the customer lifecycle - and the volume and sensitivity of the specific data exposed. The combination of identity numbers with financial information and employment records, the AEPD noted, creates conditions for identity fraud and impersonation that isolated data categories do not.

A mitigating factor was applied: the existence of a merger-by-absorption subsequent to the infringement, which under Article 76.2(e) of Spain's national data protection law (LOPDGDD) cannot be attributed to the absorbing entity in the same way it would be attributed to the original infringer. EVO Banco, constituted in 2013, ceased to exist as a credit institution on 1 April 2025, when the Bank of Spain published its deregistration in the Official State Gazette (BOE), reference 7949, effective that date.

Because EVO Banco no longer existed as a legal entity, the AEPD transferred liability to Bankinter, which absorbed EVO Banco's legal personality under Spanish civil and banking law. That transfer of liability is what made the fine enforceable against Bankinter rather than EVO Banco.

On 6 November 2025, Bankinter paid the penalty at the discounted level of €240,000, applying two cumulative 20 percent reductions available under Article 85 of Spain's Administrative Procedure Law (LPACAP): one for acknowledging responsibility and one for voluntary early payment. Both reductions were conditional on Bankinter waiving any administrative appeal against the sanction.

Why this case matters beyond the fine

Several aspects of the case are worth examining for organisations that operate digital customer-facing platforms and process personal data at scale.

The initial risk assessment conducted by EVO Banco, which led it to classify the incident as low risk and decide against notifying affected individuals, was directly challenged by the AEPD. The authority intervened within five days of receiving the breach notification and ordered individual notification under Article 34. That sequence illustrates the limits of a controller's own risk classification when financial and identity data are involved. The AEPD's analysis of what constitutes high risk for purposes of Article 34 notification does not necessarily align with an entity's internal assessment when the data includes IBANs, tax declarations, and national identity numbers in combination.

The gap between EVO Banco's initial data description - which omitted financial fields - and the forensic firm's findings is also notable. Post-incident forensic analysis added a layer of economic and tax data to the record that the bank had not reported in its initial notification form. This discrepancy was central to the AEPD's finding that the measures in place were inadequate. Data breach notifications that underestimate the scope of exposed fields can themselves become evidence of insufficient internal data mapping.

The DORA and NIS2 frameworks, which now apply to financial institutions operating in EU member states, impose structured incident response and reporting requirements that go beyond GDPR alone. The legal commentary accompanying this case, shared by Giulio Coraggio of DLA Piper on LinkedIn, pointed to a wider gap in how organisations approach cyber incidents: "what I keep seeing in practice is a gap - companies are investing, rightly, in prevention. But they are not always equally prepared for the decision-making phase of an incident. And that is where the most relevant risk often sits."

The AEPD's enforcement pattern in Spain has been consistent across a range of sectors and data types. A €1.8 million fine against business data firm Informa D&B in early 2025 established that data processing without valid legal basis in commercial contexts attracts significant penalties. The €500,000 fine against FC Barcelona in March 2026 for deficient biometric data impact assessments extended that pattern into sports organisations. A March 2026 ruling imposing €950,000 on age-verification firm Yoti added further weight to the AEPD's focus on data processing governance. More broadly, a February 2026 AEPD guide on agentic AI and GDPR signalled the authority's attention to emerging technical architectures as new vectors for data exposure - including the API-level vulnerabilities that caused the EVO Banco breach.

For the marketing and adtech community, the case is a reminder that customer data collected through digital acquisition channels - precisely the type of data processed in EVO Banco's onboarding API - carries the same GDPR obligations as any other personal data. Customer relationship and onboarding systems that aggregate identity, contact, financial, and behavioural data in single API endpoints represent a concentrated risk point. An access control failure of the type seen here does not require a sophisticated attacker: the EVO Banco breach was carried out by an actor the bank's own providers described as having low reputation in the Dark Web forum where the data was advertised.

Timeline

  • 8 February 2024 - EVO Banco implements a planned change to its customer onboarding API through its internal change management process, introducing an access control vulnerability.
  • 23-27 March 2024 - The exposed API receives 5,473,299 requests during the window of vulnerability; 1,275,463 are successful, accessing personal data of over 1.27 million individuals.
  • 30 March 2024 - An attacker publishes a Dark Web post on a forum claiming to hold a database of 1.3 million customers from a Spanish bank, including a sample of 10 records.
  • 8 April 2024 - EVO Banco's security team is notified of the Dark Web post by a third-party cybercrime detection service.
  • 9 April 2024 - EVO Banco identifies the vulnerable API, restores the previous version, and informs its data protection officer at 21:30. A forensic firm and an independent penetration tester are commissioned.
  • 13 April 2024 - EVO Banco notifies the AEPD of the data breach via the authority's online form, classifying the risk to individuals as low.
  • 15 April 2024 - Spain's Brigada de Investigacion Tecnologica contacts EVO Banco after independently detecting the Dark Web publication.
  • 18 April 2024 - The AEPD orders EVO Banco to notify affected individuals under Article 34 of the GDPR. The AEPD also instructs its General Sub-Directorate for Data Inspection to begin a preliminary investigation.
  • 18-27 April 2024 - The attacker makes further Dark Web publications and contacts EVO Banco employees, including the CISO, demanding payment. Data for 958 clients and four employees is published on the Dark Web. EVO Banco declines to pay.
  • 22 April 2024 - EVO Banco files a police complaint with the Comisaria General de Informacion in Madrid, reference 3202/24.
  • 14-15 May 2024 - EVO Banco submits additional documents to the AEPD, including the police complaint, screenshots of the attacker's messages, and breach communication records. The AEPD issues a further information request.
  • 18 June 2024 - EVO Banco submits ten additional documents to the AEPD, including the forensic report, change management procedure, and penetration test results.
  • 13 October 2025 - The AEPD formally initiates sanction proceedings against Bankinter (as successor to EVO Banco), proposing a base fine of €400,000 for violation of Article 5.1(f) of the GDPR. Spain's AEPD had already fined business data firm Informa D&B €1.8 million in January 2025.
  • 6 November 2025 - Bankinter pays the reduced fine of €240,000, acknowledging liability and taking advantage of two cumulative 20 percent reductions under Article 85 of the LPACAP.
  • 1 April 2025 - EVO Banco is formally deregistered as a credit institution in Spain by the Bank of Spain, effective this date, published in the BOE on 18 April 2025.
  • March 2026 - Spain's AEPD fines FC Barcelona €500,000 for deficient biometric data impact assessment, and fines Yoti €950,000 over biometric data and consent failures, continuing an enforcement pattern across sectors.

Summary

Who: Bankinter S.A. (NIF A28157360), as the legal successor to EVO Banco S.A. (NIF A70386024), sanctioned by the Agencia Espanola de Proteccion de Datos (AEPD), Spain's national data protection authority, under file EXP202406208.

What: A cyberattack exploited an API vulnerability introduced during a system migration at EVO Banco, enabling 1,275,463 successful unauthorised queries to personal data over five days. The breach exposed names, national identity numbers, telephone numbers, IBAN numbers, employment data, VAT declarations, and other financial fields belonging to 1,275,049 individuals. The AEPD found a violation of Article 5.1(f) of the GDPR for inadequate technical and organisational security measures. Bankinter paid a final fine of €240,000 after two 20 percent reductions for acknowledging liability and paying voluntarily.

When: The API vulnerability was introduced on 8 February 2024. The breach window ran from 23 to 27 March 2024. EVO Banco detected the incident on 8-9 April 2024 and notified the AEPD on 13 April 2024. The AEPD initiated sanction proceedings on 13 October 2025. Bankinter paid the fine on 6 November 2025. The AEPD published the closing resolution thereafter.

Where: Spain. EVO Banco operated as a digital bank with no cross-border EU implications noted in the breach. The AEPD, headquartered at Calle Jorge Juan 6, 28001 Madrid, held jurisdiction as the competent national supervisory authority under Article 55 of the GDPR.

Why: An API used in EVO Banco's customer onboarding process contained an access control flaw following a February 2024 migration. Validation testing checked only whether the correct data was returned, not whether the requesting party had authorisation to receive it. The bank lacked data encryption on the affected fields. Taken together, the AEPD found these failures constituted inadequate security measures under the GDPR's integrity and confidentiality principle. The merger between EVO Banco and Bankinter transferred legal responsibility for the pre-existing infringement to the surviving entity.

Share this article
The link has been copied!