Press release
Aktia Bank Plc
28 October 2025 at 11.50 a.m.

The data protection authority issued a reprimand to Aktia Bank Plc and imposed a fine of EUR 865,000

Aktia has received a reprimand from the Deputy Data Protection Ombudsman and an administrative fine of EUR 865,000 from the Sanctions Board of the Office of the Data Protection Ombudsman on the basis of the General Data Protection Regulation. The decision is not final. 

The sanctions are due to an error in Aktia's identification service in January 2023. As a result of the error, Aktia's customers were able to see the data of other customers in various services used through strong authentication, but not in Aktia’s own online services. The data breach concerned a limited number of Aktia’s customers, approximately 350 people, and lasted less than an hour.

Aktia responded to the data breach instantly and immediately took steps to minimise the damage. The software product that caused the error was quickly disabled after the error was detected. In its decision, the data protection authority also considers that the duration of the breach demonstrates Aktia’s ability to respond quickly to detected incidents and that Aktia also has done so.

Aktia takes the incident very seriously and apologises to customers for the inconvenience. Aktia thoroughly analysed the causes of the incident immediately after the incident took place and took additional measures to prevent similar errors from occurring in the future.

The decision of the data protection authority does not affect Aktia’s customers. Aktia has long prioritised operational safety by complying with official regulations and developing internal practices that go beyond these requirements. Aktia will continue to systematically improve quality assurance processes and to provide employees with data protection and information security training to ensure the level of information security required for its operations in the future. Customers can be confident that Aktia's services can be used safely.

In Aktia's view, the decision of the data protection authority contains incorrect interpretations of Aktia's data security testing prior to the incident. Aktia considers the authority's interpretations of the applicable regulation as well as the fine imposed to be severe in relation to the incident, which is an isolated case and in which Aktia through its responsiveness and response time has demonstrated its organisation-level information security.  Aktia will appeal against the decision to the administrative court.

Further information

Mia Smeds, Communications Director, tel. 044 546 0379, e-mail viestinta (at) aktia.fi

Aktia is a Finnish asset manager, bank and life insurer that has been creating wealth and wellbeing from one generation to the next for 200 years. We serve our customers in digital channels everywhere and face-to-face in our offices in the Helsinki, Turku, Tampere, Vaasa and Oulu regions. Our award-winning asset management business sells investment funds internationally. We employ approximately 850 people around Finland. Aktia's gross assets under management (AuM) on 30 June 2025 amounted to EUR 15.9 billion, and the balance sheet total was EUR 12.2 billion. Aktia's shares are listed on Nasdaq Helsinki Ltd (AKTIA). aktia.com.