Intesa Sanpaolo Hit With €31.8 million Fine After Insider Data Breach Went Undetected for Years

Key Takeaways

• Prolonged Insider Access Failure: An employee accessed 3,573 customer accounts over two years without detection, exposing significant gaps in internal monitoring and access controls.
• Control Design Under Scrutiny: Regulators pointed to structural weaknesses in how access to customer data was configured, allowing broad queries without adequate safeguards.
• Breakdown in Breach Response: Delayed and incomplete breach notification, along with late communication to customers, compounded the severity of the violation.
• High-Risk Data Exposure: The breach included individuals with prominent public roles, where enhanced protections should have been in place.
• Pattern of Enforcement: The $34.5 million (€31.8 million) fine follows a separate $19.1 million (€17.6 million) penalty earlier this month, signaling sustained regulatory pressure on data governance practices.

Deep Dive

Italy’s privacy regulator has fined Intesa Sanpaolo €31.8 million after concluding that a prolonged, undetected data breach exposed deep flaws in the bank’s internal controls and security oversight. The decision from the Italian Data Protection Authority follows an investigation triggered by the bank’s own breach notification in July 2024. What emerged was not a one-off lapse, but a pattern of unauthorized access stretching over more than two years.

Between February 2022 and April 2024, a single employee accessed the banking data of 3,573 customers without justification, carrying out more than 6,600 queries. None of it was flagged in real time. That failure sits at the heart of the regulator’s case. The activity wasn’t particularly sophisticated, nor hidden behind complex attack vectors. Instead, it unfolded within the bank’s own systems, unnoticed.

For the authority, that pointed to something more fundamental than a rogue employee. It exposed a control environment that allowed broad access to customer data without sufficiently robust safeguards to detect or stop misuse.

The breach also touched “high-risk” individuals, including customers with prominent public roles, where heightened protections would normally be expected.

Controls That Didn’t Catch What They Were Designed to Catch

In its findings, the authority focused heavily on the structure of Intesa Sanpaolo’s internal access model. Employees were able to query large portions of the customer base in what regulators described as a “circular” manner, without adequate counterbalancing controls.

That design flaw meant the issue wasn’t just about monitoring gaps. It was about how access itself had been configured.

The regulator concluded that the bank failed to meet core data protection obligations, including ensuring the integrity and confidentiality of personal data, and demonstrating accountability through effective technical and organizational measures.

A Delayed Response That Raised Further Concerns

The problems did not end with the breach itself.

Regulators found that the bank’s notification was both late and incomplete under applicable legal requirements. Communication to affected customers was also delayed, only taking place after a prior intervention by the authority in November 2024.

That delay, the authority said, limited its ability to act quickly to protect affected individuals, turning a control failure into a broader governance issue.

Another Enforcement Action in Quick Succession

The fine lands just weeks after the same authority imposed a separate €17.6 million penalty on Intesa Sanpaolo over how it handled the transfer of customers to its digital subsidiary, Isybank.

In that earlier case, the regulator found that the bank had profiled around 2.4 million customers to determine who would be moved to the digital platform, without a valid legal basis. It also criticized how customers were informed, noting that key communications were not sufficiently visible or clear.

The two decisions suggest more than isolated missteps. They point to sustained regulatory scrutiny across both data security and data usage practices.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.