The Italian Data Protection Authority (Garante per la protezione dei dati personali) has imposed a record €31.8 million fine on Intesa Sanpaolo S.p.A. following an extensive investigation into unauthorized access to customer financial records.
Key Takeaways
- The Event: Administrative fine for failing to prevent more than 6,600 illicit accesses to sensitive banking data by an internal employee.
- Strategic Impact: Highlights critical vulnerabilities in “full data circularity” models within large-scale financial institutions.
- Metrics: €31.8M penalty; 3,573 affected clients (including political figures); 2-year breach duration.
- Current Outlook: The bank must now implement enhanced behavioral monitoring and restrict data access protocols.
Systemic Failure in Access Control and Monitoring
The investigation revealed that between 2022 and 2024, a bank employee at a local branch repeatedly accessed the sensitive data of high-profile individuals, including government officials and public figures. The breach went undetected for two years, exposing a lack of robust automated alerts and internal auditing systems.
According to the Authority, the bank’s architecture allowed excessive data visibility across the organization, violating the “need-to-know” principle fundamental to GDPR compliance. Furthermore, the bank failed to notify the regulator within the mandatory 72-hour window once the breach reached a critical threshold, leading to an aggravated penalty.
Market Implications for the Banking Sector
This enforcement action follows a previous €17.6M fine related to the Isybank migration, totaling nearly €50M in regulatory penalties within a single quarter. For financial institutions, this case marks a shift toward stricter oversight of internal threats. Management must prioritize Zero Trust architectures and real-time behavioral analytics to mitigate the risks associated with insider threats.
