Industry - Enforcement
Executive Summary
Italy's data protection authority fined Intesa Sanpaolo, the country's largest banking group, €31.8 million after an employee improperly accessed the banking information of 3,573 customers over a two-year period from February 2022 to April 2024. The regulator cited inadequate technical and organizational security measures that allowed the employee to conduct more than 6,600 unauthorized queries. The penalty represents one of Italy's largest data protection fines for insider misuse of customer...
What Happened
Italy's data protection authority fined Intesa Sanpaolo €31.8 million after discovering that a bank employee conducted unauthorized access to customer banking information over a two-year period from February 2022 to April 2024. The employee performed more than 6,600 unauthorized queries, improperly accessing the banking data of 3,573 customers. The regulator determined that Intesa Sanpaolo failed to implement adequate technical and organizational security measures to prevent or detect this insider abuse.
Who Is Affected
The breach directly affected 3,573 customers of Intesa Sanpaolo, Italy's largest banking group, whose personal banking information was improperly accessed by an employee. These customers had their financial data viewed without authorization during the two-year period, though the source material does not specify what actions these customers should expect from the bank or what types of banking information were accessed.
Why It Matters
This case represents one of Italy's largest data protection fines for insider misuse of customer data and highlights the persistent risk of threats from within organizations that have legitimate access to sensitive information. The substantial penalty underscores regulatory expectations that financial institutions must implement robust internal controls and monitoring systems to detect and prevent employee abuse of access privileges. The two-year duration before detection raises questions about the adequacy of audit and monitoring practices across the banking sector.
What You Should Do
If you are a customer of Intesa Sanpaolo, contact the bank directly to confirm whether your account was among those improperly accessed and request details about what information was viewed. Monitor your bank statements and credit reports closely for any suspicious activity or signs of identity theft resulting from the breach. Consider placing fraud alerts on your accounts and ask the bank what specific protective measures or monitoring services they are offering to affected customers as remediation.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources