Italian Regulator Fines Intesa Sanpaolo $36 Million for Data Protection Failures

Related

KDDI Confirms Zero-Day Exploit Behind Breach Affecting 12 Million People

What happened KDDI has updated its earlier breach disclosure, confirming...

Aflac Japan Data Breach Impacts 4.38 Million Customers and Agents

What happened Aflac Life Insurance Japan disclosed a data breach...

Nissan Discloses Employee Data Breach Linked to Oracle Zero-Day Attacks

What happened Nissan disclosed a data breach affecting current and...

KDDI Breach Exposes Up to 14.2 Million Email Logins at Six ISPs

What happened Japanese telecommunications operator KDDI disclosed a data breach...

Xsolis Data Breach Affects 1.4 Million Individuals

What happened Healthcare technology company Xsolis disclosed a data breach...

Share

What happened

Italy’s data protection regulator fined Intesa Sanpaolo €31.8 million, or about $36 million, after finding that the bank failed to adequately protect customer banking information. The regulator said an employee accessed the banking information of 3,573 customers between February 2022 and April 2024 without a valid business reason. The investigation began after Intesa Sanpaolo disclosed a data breach in July 2024. According to the regulator, the unauthorized access was not detected by internal control systems, revealing weaknesses in monitoring and prevention mechanisms. The authority also said the bank’s operating model allowed staff to query the entire customer base without sufficient controls to prevent or identify improper access. 

Who is affected

The direct exposure affects 3,573 Intesa Sanpaolo customers whose banking information was improperly accessed. The regulator said the affected group included high-risk customers and well-known public figures who, in its view, should have been subject to stronger controls. 

Why CISOs should care

This matters because the case centers on internal unauthorized access that continued for more than two years without being caught by existing controls. It also highlights how data protection failures can extend beyond the access itself to include weaknesses in monitoring, prevention, and breach notification processes. 

3 practical actions

  1. Review insider-access controls: Confirm that employees cannot broadly query sensitive customer data without controls that can prevent and detect unauthorized access. 
  2. Apply stronger controls to high-risk records: Ensure high-profile or otherwise high-risk customer accounts are subject to enhanced monitoring and access restrictions. 
  3. Test breach-notification execution: Validate that customer notifications are complete and can be issued within legal deadlines if improper access is discovered. 

For more news about incidents involving exposure and misuse of customer information, click Data Breach to read more.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.