The Intesa Sanpaolo data breach has resulted in a €31.8 million fine from Italy’s data protection authority, after an investigation found serious lapses in how the bank protected customer data. The case centers on unauthorized access to the banking information of more than 3,500 customers over a period of more than two years, raising fresh concerns around internal threats in the financial sector.

The Intesa Sanpaolo data breach, first reported by the bank in July 2024, turned out to be far more extensive than initially disclosed. Regulators found that a single employee had accessed sensitive banking data of 3,573 customers without any professional justification, making over 6,600 queries between February 2022 and April 2024.

Internal Access, No Early Detection

What stands out in the Intesa Sanpaolo data breach is not just the unauthorized access, but how long it went unnoticed.

According to the Italian Data Protection Authority, the bank’s internal monitoring systems failed to detect repeated anomalous access. The activity continued for months, exposing a clear gap in how employee actions were being tracked.

The access also involved individuals considered high-risk, including public figures and politically exposed persons. These profiles typically require stricter oversight, but the investigation found that enhanced controls were either not applied or were ineffective.

Regulator Flags GDPR Violations

The authority concluded that the Intesa Sanpaolo data breach violated key provisions of the GDPR, particularly around data integrity, confidentiality, and accountability.

At the core of the issue was the bank’s access model. Employees were able to query customer data across the system without sufficient restrictions. While such systems are often designed for operational flexibility, regulators noted that they must be backed by strong controls—which were lacking in this case.

The findings pointed to broader weaknesses in both technical safeguards and organizational oversight.

Delays in Intesa Sanpaolo Data Breach Notification

The bank’s response to the incident has also come under scrutiny. Authorities found that the breach notification was incomplete and delayed, falling short of legal requirements.

Customer communication was another weak point. Many affected individuals were informed only after the regulator intervened in November 2024, months after the issue had come to light.

This delay limited the ability of customers to take timely action, a factor that weighed into the final penalty.

Scale of Exposure Raises Concerns

The Intesa Sanpaolo data breach was not limited to a small set of accounts. The investigation showed that the employee accessed data linked to politicians, public figures, bank staff, and thousands of ordinary customers.

The information viewed included personal identification details as well as financial data such as account activity and payment card information.

While the bank stated there was no evidence of data being extracted or misused, regulators emphasized that unauthorized access alone constitutes a serious breach under GDPR.

Bank Responds, Tightens Controls

Intesa Sanpaolo has since taken corrective steps following the data breach. The bank said it dismissed the employee involved and has introduced stricter controls on data access.

New measures include requiring justification for accessing customer data outside assigned portfolios, enhanced alert systems to detect unusual activity, and additional layers of authorization.

The bank also argued during proceedings that not all breaches can be prevented and that its systems did eventually detect anomalies. However, regulators maintained that the delay and scale of the breach pointed to deeper issues.

A Broader Signal to the Banking Sector

The Intesa Sanpaolo data breach highlights a persistent challenge for financial institutions: insider risk.

Even with existing safeguards, employees with system access can misuse data if controls are not tight enough or actively monitored. The case shows that compliance is not just about having systems in place, but ensuring they work in practice.

For the wider banking sector, the message is clear. Monitoring cannot be passive, and access cannot be overly broad. Without that balance, even established institutions risk facing similar regulatory action.