>_KrakaTech
SocietyMar 31, 2026· 2 min read

Intesa Sanpaolo fined €31.8 million by Privacy Authority for unauthorized access to customer data

The Italian Data Protection Authority has imposed a fine of €31.8 million on Intesa Sanpaolo, following an investigation that began after a data breach reported by the bank in July 2024. The decision highlights significant shortcomings in the technical and organizational measures adopted to ensure the security of personal data.

The central issue involved the actions of an employee who, between February 21, 2022, and April 24, 2024, made unauthorized accesses to the banking data of 3,573 customers. The total consultations exceeded 6,600 operations and, according to the Authority's findings, occurred without a justified operational reason.

One of the most critical aspects that emerged was the inability of the internal systems to detect such anomalies. For over two years, unauthorized accesses went undetected, indicating significant gaps in monitoring and prevention mechanisms. The operational model allowed operators to extensively query the entire customer base without adequate controls capable of identifying anomalous or unauthorized behaviors.

The incident also involved individuals considered "high-risk," including customers with public office duties or prominent roles, for whom enhanced levels of protection and oversight would have been necessary. This element contributed to reinforcing the negative assessment of the Authority regarding the overall adequacy of the measures adopted.

From a regulatory perspective, the Authority noted violations of the principles of integrity and confidentiality of personal data, as well as a failure to effectively apply the principle of accountability provided by the GDPR. Essentially, the bank was unable to demonstrate that it had implemented measures adequate to prevent and detect unauthorized access.

Further critical issues were identified in the management of the data breach. The notification sent to the Authority was found to be incomplete and delayed compared to the deadlines set by the regulations. Similarly, communication to the affected customers occurred only afterward, following a formal intervention by the Authority dated November 2, 2024. This management limited the possibility of timely intervention to protect the interested parties.

In determining the amount of the fine, the Authority considered several factors: the duration of the violations, the high number of individuals involved, and the overall severity of the shortcomings identified. The corrective actions taken by Intesa Sanpaolo after the facts emerged, aimed at strengthening internal control systems and security measures, were also evaluated.

← OlderHisense QLED 4K 98'' and 85'' with 144Hz Game Mode PRO: Amazon Prices Are ScaryNewer →iPhone 18 Pro, design change coming: the Dynamic Island will be smaller