Italian regulators on Monday fined one of the country’s largest financial institutions €31.8 million ($36 million) for improperly accessing the banking information of more than 3,500 customers for more than two years.

The Italian Data Protection Authority fined Intesa Sanpaolo SpA for what it called “serious shortcomings in personal data security, due to the inadequacy of the technical and organizational measures adopted.”

The regulator launched a probe following a data breach announced by the bank in July 2024. The ensuing investigation revealed that an employee accessed the banking information of 3,573 customers between February 2022 and April 2024 without having a proper reason to do so.

“These unauthorized accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms,” the regulator said in a press release. “The operating model used, which allowed operators to query the entire customer base in a fully circular manner, was not adequately balanced by controls designed to prevent and identify unauthorized access.”

Notably, the customers whose accounts were accessed were considered “high-risk” and included well-known public figures, whom the regulator said Intesa Sanpaolo should have subjected to strengthened controls. 

Additional improprieties were found in how the bank responded to the data breach, the press release said. Notifications to affected customers were allegedly not complete and came after legally required deadlines.

A spokesperson for Intesa Sanpaolo declined to comment. 

The fine was determined based on the severity and duration of the misdeeds, the number of customers impacted and how the banking giant fixed the problem after it was discovered, the press release said.