Italy’s data protection authority has imposed a €31.8 million ($36.41 million) penalty on Intesa Sanpaolo following a significant data breach that affected 3,500 customers and exposed critical shortcomings in internal monitoring systems. The ruling reflects rising regulatory pressure on financial institutions to strengthen cybersecurity frameworks and comply with stringent data protection laws such as the General Data Protection Regulation.
Investigation Reveals Unauthorized Access to Customer Data
According to findings by Garante per la protezione dei dati personali, an employee at Intesa Sanpaolo improperly accessed sensitive banking information of 3,573 customers. The unauthorized activity occurred over a prolonged period from February 2022 to April 2024, during which more than 6,600 instances of data consultation were recorded.
The regulator highlighted that these repeated breaches went undetected for over two years, pointing to serious lapses in the bank’s internal control systems. The failure to identify and prevent such activity raises concerns about the effectiveness of real-time monitoring tools and access governance within large financial institutions.
High-Profile Clients Among Those Impacted
The breach also involved individuals holding prominent public positions, making the incident more severe from a compliance standpoint. Regulators emphasized that enhanced safeguards should have been applied to accounts with elevated risk profiles, particularly those belonging to politically exposed persons and high-net-worth individuals.
This aspect of the case reflects broader expectations under GDPR, where organizations are required to implement risk-based security measures tailored to the sensitivity of the data and the profile of the customer.
Regulatory Action Reflects ESG and Governance Priorities
The fine imposed on Intesa Sanpaolo aligns with growing emphasis on governance and data protection within Environmental, Social, and Governance (ESG) frameworks. Data privacy and cybersecurity are increasingly viewed as core governance issues, influencing investor confidence and corporate reputation.
Across Europe, regulators have intensified enforcement actions under GDPR, with financial services firms facing heightened scrutiny due to the volume and sensitivity of customer data they manage. The European banking sector has seen a steady increase in penalties related to data breaches, reinforcing the need for robust compliance strategies.
Corrective Measures and Industry Implications
While issuing the fine, the Italian authority acknowledged that Intesa Sanpaolo had implemented corrective actions to enhance its internal controls and data protection mechanisms. These measures reportedly include improvements in monitoring systems, stricter access controls, and enhanced employee oversight.
However, the scale and duration of the breach demonstrate that reactive measures alone are insufficient. Financial institutions are increasingly expected to adopt proactive cybersecurity strategies, including AI-driven anomaly detection, zero-trust architectures, and continuous auditing of user activity.
Rising Importance of Data Governance in Banking
The case highlights a broader industry trend where data governance is becoming a strategic priority rather than just a compliance requirement. Banks are investing heavily in cybersecurity infrastructure as digital banking adoption accelerates and cyber threats become more sophisticated.
Globally, regulators are moving toward stricter enforcement, with penalties designed not only to punish violations but also to drive systemic improvements in how organizations manage and protect data.
For Intesa Sanpaolo and its peers, the incident serves as a critical reminder that maintaining customer trust in the digital era depends heavily on the strength of internal controls, transparency in incident response, and adherence to evolving regulatory standards.
RAJANI BABURAJAN
