What happened
Italy’s data protection regulator fined Intesa Sanpaolo €31.8 million, or about $36 million, after finding that the bank failed to adequately protect customer banking information. The regulator said an employee accessed the banking information of 3,573 customers between February 2022 and April 2024 without a valid business reason. The investigation began after Intesa Sanpaolo disclosed a data breach in July 2024. According to the regulator, the unauthorized access was not detected by internal control systems, revealing weaknesses in monitoring and prevention mechanisms. The authority also said the bank’s operating model allowed staff to query the entire customer base without sufficient controls to prevent or identify improper access.
Who is affected
The direct exposure affects 3,573 Intesa Sanpaolo customers whose banking information was improperly accessed. The regulator said the affected group included high-risk customers and well-known public figures who, in its view, should have been subject to stronger controls.
Why CISOs should care
This matters because the case centers on internal unauthorized access that continued for more than two years without being caught by existing controls. It also highlights how data protection failures can extend beyond the access itself to include weaknesses in monitoring, prevention, and breach notification processes.
3 practical actions
- Review insider-access controls: Confirm that employees cannot broadly query sensitive customer data without controls that can prevent and detect unauthorized access.
- Apply stronger controls to high-risk records: Ensure high-profile or otherwise high-risk customer accounts are subject to enhanced monitoring and access restrictions.
- Test breach-notification execution: Validate that customer notifications are complete and can be issued within legal deadlines if improper access is discovered.
For more news about incidents involving exposure and misuse of customer information, click Data Breach to read more.