Italian Regulator Fines Intesa Sanpaolo $36 Million for Data Protection Failures

What happened

Italy’s data protection regulator fined Intesa Sanpaolo €31.8 million, or about $36 million, after finding that the bank failed to adequately protect customer banking information. The regulator said an employee accessed the banking information of 3,573 customers between February 2022 and April 2024 without a valid business reason. The investigation began after Intesa Sanpaolo disclosed a data breach in July 2024. According to the regulator, the unauthorized access was not detected by internal control systems, revealing weaknesses in monitoring and prevention mechanisms. The authority also said the bank’s operating model allowed staff to query the entire customer base without sufficient controls to prevent or identify improper access. 

Who is affected

The direct exposure affects 3,573 Intesa Sanpaolo customers whose banking information was improperly accessed. The regulator said the affected group included high-risk customers and well-known public figures who, in its view, should have been subject to stronger controls. 

Why CISOs should care

This matters because the case centers on internal unauthorized access that continued for more than two years without being caught by existing controls. It also highlights how data protection failures can extend beyond the access itself to include weaknesses in monitoring, prevention, and breach notification processes. 

3 practical actions

1. Review insider-access controls: Confirm that employees cannot broadly query sensitive customer data without controls that can prevent and detect unauthorized access. 
2. Apply stronger controls to high-risk records: Ensure high-profile or otherwise high-risk customer accounts are subject to enhanced monitoring and access restrictions. 
3. Test breach-notification execution: Validate that customer notifications are complete and can be issued within legal deadlines if improper access is discovered. 

For more news about incidents involving exposure and misuse of customer information, click Data Breach to read more.

John Kevin Hao

+ postsBio ⮌

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

• John Kevin Hao

  CISO Diaries: Alessio Cipolletta on Security in Safety-Critical Aviation Environments
• John Kevin Hao

  FBI Warns of Kali365 Phishing-as-a-Service Platform After April Microsoft 365 Attacks
• John Kevin Hao

  Ukraine Probes Teen Suspect in Cyber Theft Scheme Targeting California Online Shoppers
• John Kevin Hao

  CISO Diaries: Jason Scanlon on Security Culture, Leadership, and the Human Side of Cybersecurity