Loan comparison provider Sambla Group issued administrative fine for data security neglect – company must notify customers of incident

Loan comparison provider Sambla Group issued administrative fine for data security neglect - company must notify customers of incident

The Sanctions Board of the Office of the Data Protection Ombudsman has imposed an administrative fine of EUR 950,000 to Sambla Group, a provider of loan comparison services. Due to poor data security, the contents of Sambla Group's customers' loan applications were accessible to third parties through the personal links intended for the customers. The company says that it is no longer using such links. Sambla Group was ordered to notify its customers of the incident.

A technical investigation by the Office of the Data Protection Ombudsman revealed serious data security issues with Sambla Group's lainaparkki.fi and rahoitu.fi loan comparison services. The company was ordered to cease processing the personal data of loan applicants in its electronic services immediately when the seriousness of the data security issues became apparent in March 2024. The investigation was launched based on a report made to the Data Protection Ombudsman.

The investigation revealed that the services lacked adequate restrictions to prevent third parties from accessing the data in the loan applications. Anyone with access to the URL intended for the customer and sufficient technical expertise to exploit the security vulnerability had direct access to the data. Sambla Group has announced that it has stopped using the vulnerable URLs and improved the data security of its services.

"The security of the URLs in the service was very low. Cyber criminals are constantly looking for and exploiting such vulnerabilities. That is why it is crucial regularly assess the adequacy of data security in electronic services", says Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa.

The technical investigation revealed that the URLs had been targeted with phishing and personal data had been conveyed to third parties. The information available through the links included at least the loan applicant's contact details, as well as information on their income, housing costs, marital status and possible children. The Deputy Data Protection Ombudsman ordered Sambla Group to notify those customers whose information could have been accessed by third parties.

"This data sheds light on the people's financial circumstances. If your data has been leaked, you should be alert for unusual communications. You should not answer strange phone calls or messages and do not give any personal information if the request is at all suspicious. If you are targeted by fraud, blackmail or identity theft, you need to report it to the police", Pihamaa says.

The decision is not yet final and can be appealed in the Administrative Court.

Decisions of the Deputy Data Protection Ombudsman and Sanctions board in Finlex in Finnish

Decision of the Deputy Data Protection Ombudsman on the personal data breach in Finlex in Finnish

Advice to victims of a personal data breach

• Instructions on the Office of the Data Protection Ombudsman's website: Have you been affected by a personal data breach?
• Guide on the Suomi.fi website​​​​​​​: My personal data has been stolen or leaked

Additional information:

Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, tel. +358 29 566 6787

viestinta.tietosuoja(at)om.fi

The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company's turnover or EUR 20 million.

Public link

Please use the above public link if you want to share this noodl on another website.