Overview
- Intesa Sanpaolo, which was fined Monday by Italy's data protection authority, faces a €31.8 million penalty for serious data security failures.
- The investigation found an employee accessed banking data for 3,573 clients with more than 6,600 lookups from February 21, 2022 to April 24, 2024 without a valid reason.
- Internal monitoring did not flag the unauthorized queries, and the viewing included accounts of high‑risk clients with public roles who required stronger safeguards.
- The bank’s breach notice and outreach to affected customers were incomplete and late, with full communications issued only after a November 2, 2024 order from the regulator.
- The authority ruled the conduct unlawful for breaching integrity, confidentiality, and accountability rules, and it trimmed the fine after the bank adopted measures to strengthen controls, a case that could spur civil claims and tougher oversight across Italian banks.