Italy fines Intesa Sanpaolo €31.8m over insider data breach

• Italian regulator says weak internal controls allowed unauthorised access to over 3,500 customer accounts.
• The case underscores rising financial and regulatory risks linked to insider threats in banking.

What happened

Unauthorised access exposed control gaps

Italy’s data protection authority has fined the country’s biggest bank, Intesa Sanpaolo, Italy’s largest banking group, €31.8 million ($36.4 million) after an employee repeatedly accessed customer banking data without authorisation, according to a Reuters report.

The breach involved 3,573 customers and more than 6,600 separate consultations of banking information between February 2022 and April 2024. According to the regulator, known as the Garante, the activity went undetected by the bank’s internal control systems for an extended period, revealing “significant weaknesses” in monitoring and prevention measures.

Among those affected were clients holding prominent public roles, who should have been subject to enhanced protection measures. The authority said the size of the fine also reflected corrective actions taken by the bank after the incident to strengthen security and internal controls.

Read the original Reuters coverage here: Italy data protection agency fines Intesa Sanpaolo $36 mln over data breach.

The bank did not immediately respond to a request for comment at the time of publication, Reuters reported.

In simple terms, Intesa Sanpaolo is Italy’s largest banking group, serving millions of retail and corporate customers, making the breach particularly sensitive in both political and financial contexts.

Also read:Forcepoint’s solutions address increasing data breach expenses

Also read:Smart Africa leaks thousands of AFRINIC member email addresses

Why it’s important

The case highlights how insider threats remain one of the most persistent cybersecurity risks in financial services. While external hackers dominate headlines, regulators are increasingly scrutinising whether banks have sufficient monitoring to detect misuse by employees.

The Garante’s findings reinforce Europe’s strict approach to data protection under GDPR, where organisations must prove robust monitoring and prevention capabilities — not just respond after incidents occur. For banks, such penalties can have financial and reputational consequences, especially as customer trust underpins deposit stability and digital banking growth.

From a financial perspective, enforcement actions like this are becoming a measurable regulatory risk. Stronger governance, monitoring and audit trails are now viewed as part of core risk management rather than purely IT functions.

More broadly, the case signals that European regulators are prepared to levy substantial fines even when breaches involve internal misuse rather than external cyberattacks.