Major Italian bank fined €31.8M after employee snooped on 3,500 customers

Published: 1 April 2026
intensa sanpaolo sing over green windows, wall exterior, red stop sign
A bank branch of Intesa Sanpaolo SpA in Turin, Italy. Francesca Volpi/Bloomberg/Getty.

Italy’s data protection authority (DPA) imposed a fine of €31.8 million on Intesa Sanpaolo S.p.A. for “serious shortcomings in personal data security, due to the inadequacy of the technical and organizational measures adopted.”

The GPDP launched an investigation when the bank reported a data breach in July 2024. The inquiry revealed that an employee accessed the banking information of 3,573 customers over 6,600 times between February 21st, 2022, and April 24th, 2024, without a valid legal reason.

The customers whose accounts were accessed were labeled as “high-risk” and included well-known public figures. To protect their privacy, Intesa Sanpaolo should have implemented stricter controls, the DPA argues.

ADVERTISEMENT

As a matter of fact, the unlawful access wasn’t detected by any internal control systems, indicating that proper technical and organizational measures weren’t in place to monitor employees’ activities.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

In addition, there were failures in transparency, meaning that customers weren’t properly informed about what data was being collected and used.

Furthermore, the integrity and confidentiality of personal data weren’t safeguarded, depicting the overall inadequacy of the adopted measures.

“The operational model used, which allowed operators to query the entire customer base in full circularity, was not in fact adequately balanced by controls designed to prevent and identify unauthorized access,” the Italian DPA said.

For these transgressions, Intesa Sanpaolo was ordered to pay a fine of €31.8 million.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites

The bank now has to improve transparency by explaining to customers what data is collected and why it is being processed, only collect the necessary data in accordance with the principles of data minimization and proportionality, document the legal basis for processing personal information, and take measures to ensure data accuracy and security.

ADVERTISEMENT

In determining the amount of the fine, the GPDP took into account the severity and duration of the violations, the high number of customers involved, as well as the corrective measures adopted by the bank following the events.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked