The Superintendencia de Industria y Comercio (SIC) has imposed a fine of over $700 million COP on Scotiabank Colpatria, a subsidiary of the Canadian bank Scotiabank (TSX: BNS, NYSE: BNS), following an investigation into a data breach that exposed the personal information of more than 700,000 clients. The incident involved Walter Alexander Ladino Molano, a former director at the bank, who was later convicted in a separate criminal proceeding.
According to a resolution issued by the SIC, the sanction, which totals $700.8 million COP, was levied on September 12, 2025. The authority determined that Scotiabank Colpatria failed to implement sufficient security measures to protect client data, violating Law 1581 of 2012 and Decree 1074 of 2015, which govern data protection in Colombia.
The SIC’s investigation found that between 2019 and 2022, Ladino Molano, who served as the bank’s director of regulatory reports, sent over 400 files containing client information from his work computer to his personal email address. He utilized an exception in the bank’s internal controls that allowed for the external transfer of encrypted files. This action compromised the data of approximately 721,000 clients.
While Ladino Molano denied any direct link to a third-party entity, he admitted to selling the data. His actions resulted in a separate criminal conviction, with a Colombian court sentencing him to 60 months in prison and a fine equivalent to 100 minimum monthly salaries for the aggravated violation of personal data and the use of communication networks.
The investigation revealed that the compromised data was transferred to a call center identified as The Best Marketing Limit. This firm allegedly used the information for unauthorized telephone sales and fraudulent financial transactions. The Asociación para la Investigación, Información y Control de los Sistemas de Tarjetas de Débito y Crédito (Incocrédito), a private entity, confirmed that several bank cards that had been used in transactions at the call center were subsequently affected by fraudulent activity.
In a statement to the press, the legal representative for The Best Marketing Limit stated that the firm had purchased databases from distributors in the market, a practice prohibited under Colombian law. The lawyer also confirmed that the call center is no longer operational, citing investigations by the Fiscalía General de la Nación and Incocrédito. The attorney denied any direct contact between the firm and Ladino Molano.
In addition to the fine against the institution, the SIC individually sanctioned Ladino Molano with a fine of $8.04 million COP for his role in the breach.
Following the incident, Scotiabank Colpatria terminated Ladino Molano’s employment and stated it reinforced its security protocols. The bank issued a statement affirming its intention to appeal the SIC’s resolution, noting that the decision is not yet final. The financial institution maintains its commitment to regulatory compliance and the protection of client information.
The incident highlights the vulnerabilities within some financial systems and the methods by which criminal networks can exploit internal weaknesses to obtain and monetize personal data. Colombian law, including Law 1266 of 2008 (Habeas Data Financiero), classifies financial and credit information as private, restricting its collection, use, and transfer without explicit consent from the data owner. The SIC is the government body responsible for enforcing these data protection regulations and imposing penalties for non-compliance.
Leave a Reply