ACCORDING to the Italian Data Protection Authority, Intesa Sanpaolo was fined €31.8 million for a serious insider data breach that affected 3,573 customers and involved more than 6,600 unauthorized inquiries between 21 February 2022 and 24 April 2024. The investigation, triggered by a July 2024 breach report from the bank, found that the accesses were not detected by internal controls and related to data on “high-risk” customers, including individuals in prominent public roles.
The authority criticised the organisation’s inadequate technical and organisational measures, noting an operating model that allowed circular querying of the entire customer base without sufficient safeguards. The breach notification was also described as incomplete and late, with communications to data subjects occurring only after a prior Guarantor provision dated 2 November 2024.
In its decision, the Garante deemed Intesa Sanpaolo’s conduct unlawful, and the €31.8 million fine reflected the violations’ severity, their duration, and the corrective measures the bank implemented thereafter. The announcement is dated Rome, 30 March 2026.