Italy’s primary data protection authority has delivered a significant blow to Intesa Sanpaolo by imposing an 18 million euro fine following a comprehensive investigation into unauthorized access to client information. The penalty comes after revelations that a former employee at the bank’s branch in Bitonto successfully accessed the private financial records of thousands of customers over an extended period without any legitimate business justification.
The breach, which targeted high-profile figures including Prime Minister Giorgia Meloni and various political and sports personalities, has raised serious questions regarding the internal security protocols of Italy’s largest banking institution. According to the regulator, the unauthorized snooping occurred between early 2022 and mid-2024, involving nearly 7,000 separate accounts. The sheer scale and duration of the illicit activity suggest a systemic failure in the bank’s ability to monitor employee behavior and protect sensitive consumer data from internal threats.
In its official ruling, the Italian Data Protection Authority, known as Garante, highlighted that the bank failed to implement adequate technical and organizational measures to prevent such a breach. The regulator noted that the existing monitoring systems were insufficient to detect the anomalous patterns of data access performed by the employee in question. This lack of oversight allowed the individual to query the bank’s central database repeatedly without triggering immediate alarms or restrictive interventions.
Intesa Sanpaolo has responded to the fine by emphasizing its commitment to security and noting that the employee involved was dismissed shortly after the internal discovery of the misconduct. The bank also pointed out that it has since cooperated fully with the authorities and has already begun implementing more rigorous surveillance technologies to prevent a recurrence. However, the regulator maintained that the corrective actions taken after the fact do not absolve the institution of its legal responsibility to have had preventative measures in place from the start.
The incident has sparked a broader debate across the European financial sector regarding the vulnerability of digital banking systems to insider threats. While many institutions focus their cybersecurity budgets on defending against external hackers and malware, this case illustrates that the most significant risk can often come from within the organization itself. Privacy advocates argue that the 18 million euro penalty serves as a necessary deterrent for other financial giants that may be underestimating the importance of internal data governance.
Beyond the financial penalty, Intesa Sanpaolo faces a significant reputational challenge. Trust is the fundamental currency of the banking industry, and the revelation that sensitive financial details of the nation’s top leaders were left unprotected has shaken public confidence. The bank must now navigate a complex path toward rebuilding its image while satisfying the strict compliance requirements dictated by both national and European Union privacy regulations, such as the General Data Protection Regulation.
As the banking landscape continues to digitize at a rapid pace, the Italian regulator’s decision signals a zero-tolerance policy for lapses in data stewardship. The 18 million euro fine is one of the largest ever issued by the Garante in the financial services sector, underscoring the gravity of the situation. Moving forward, Intesa Sanpaolo will be required to provide regular updates on its security upgrades, ensuring that the private lives of its millions of customers remain shielded from prying eyes, whether they belong to external criminals or rogue employees.
