The Intesa Sanpaolo data breach was not just the result of unauthorized access, it was a failure of detection that lasted for more than two years. In an exclusive response to The Cyber Express, Italy’s data protection authority has now clarified that the bank’s monitoring systems were not equipped to identify repeated, low-volume misuse of access over time.

The Intesa Sanpaolo data breach, which has already led to a €31.8 million fine, involved a single employee accessing the data of over 3,500 customers without any valid business reason.

While earlier findings established the scale of the incident, the latest response explains why it continued undetected for so long.

Intesa Sanpaolo Data Breach: Monitoring Failed to Catch Slow, Repeated Access

At the center of the Intesa Sanpaolo data breach is a critical gap in how internal activity was monitored. In response to queries from The Cyber Express, Secretary General of the Italian Data Protection Authority, Luigi Montuori, said:

“The Authority found that the employee carried out unauthorized access over a period of more than two years without the bank’s alert systems detecting any anomaly. According to the decision, the controls adopted by the bank proved inadequate in light of the specific risks connected with its operating model, which allowed broad internal access to customer data.”

He further added:

“In particular, the Authority considered that the thresholds and monitoring mechanisms in place were not sufficient to promptly detect repeated but time-distributed improper access, including access involving politically exposed or otherwise high-profile individuals.”

This clarification is significant. It shows that the Intesa Sanpaolo data breach was not missed because of a lack of controls, but because those controls were not designed to detect how insider threats actually behave.

Rather than triggering alerts through large or unusual spikes, the access remained under the radar by being spread out over time. This exposes a common blind spot in enterprise monitoring, systems often focus on volume, not patterns.

No Confirmed Misuse, But Regulator Flags High Risk

Another key question in the Intesa Sanpaolo data breach has been whether the accessed data was misused beyond internal viewing. Montuori clarified in his response:

“The decision does not state that there is confirmed evidence of data exfiltration or further misuse of the data outside the unauthorized access itself. However, the Authority found that the unlawful access, its scale, its duration, and the categories of persons affected were sufficient to create a high risk for the rights and freedoms of the individuals concerned. Beyond the conclusions set out in our decision, the case is also under investigation by the judicial authority in criminal proceedings.”

Even without confirmed data exfiltration, the Intesa Sanpaolo data breach was treated as a serious violation. The regulator’s position is clear: prolonged unauthorized access, especially involving sensitive and high-profile individuals, creates inherent risk.

This reflects a broader shift in enforcement, where exposure itself, not just proven misuse, is enough to trigger regulatory action.

Post-Breach Fixes Highlight Earlier Gaps

Following the Intesa Sanpaolo data breach, the bank introduced several measures to strengthen its controls. The authority noted:

“The decision notes that, after the incident, the bank adopted a number of measures to strengthen its safeguards, including:

• stronger protections for certain particularly sensitive or high-profile customers;
•  enhanced ex ante authorization mechanisms and ex post controls on access;
• strengthened alerting and monitoring systems for anomalous access;
• a dedicated task force for analysis and decision support;
• the introduction of additional data masking measures;
• broader governance improvements in the management of personal data breaches.

As stated in the decision, the Authority also took these remedial measures into account in its overall assessment.”

While these steps address key weaknesses, they also underline a larger issue. In the Intesa Sanpaolo data breach, the most critical safeguards, effective monitoring, stricter access control, and risk-based oversight, were strengthened only after the breach had already persisted for years.

A Broader Warning on Insider Risk

The Intesa Sanpaolo data breach offers a clear lesson for the banking sector and beyond.

Internal access remains one of the most difficult risks to control. Systems are often designed to enable efficiency, giving employees broad visibility across customer data. But without monitoring that reflects real user behavior, that access can be misused without detection.

What stands out in this case is that even access involving politically exposed and high-profile individuals did not trigger alerts. That points to a deeper issue—not just in tools, but in how risk is defined and monitored.

As Montuori concluded:

“At this stage, we have no further comment beyond the contents of the adopted measure”.

The case may be closed from a regulatory standpoint, but its implications are not. The Intesa Sanpaolo data breach shows that insider threats do not always appear as obvious anomalies, they often build quietly over time. Without systems designed to catch that, similar incidents are likely to happen again.