Data Breaches

Intesa Sanpaolo Hit With €31.8 Million Fine After Employee Accessed 3,573 Customer Accounts

March 31, 2026 / 4 Min Read

Intesa Sanpaolo Hit With €31.8 Million Fine After Employee Accessed 3,573 Customer Accounts

Italy’s data protection authority fined Intesa Sanpaolo €31.8 million ($36 million) on Monday after an employee accessed banking data belonging to 3,573 customers over more than two years without detection. The fine is among the significant GDPR penalties imposed in Italy and follows a separate €17.6 million fine against the same bank earlier this month.

The breach occurred between February 2022 and April 2024 during which a single employee made more than 6,600 unauthorised queries into customer accounts. According to the Italian Data Protection Authority, known as the Garante, none of these accesses were flagged by internal monitoring systems, revealing what regulators described as “significant weaknesses in the monitoring and prevention mechanisms.”

High-Risk Customers Included Public Figures

The compromised accounts included customers with prominent public roles who should have been subject to enhanced protection measures. While the Garante did not name specific individuals, Italian media reports suggest Prime Minister Giorgia Meloni was among those affected. The regulator noted that these high-profile customers represented exactly the type of accounts that should trigger additional security controls under GDPR requirements.

The investigation began after Intesa Sanpaolo notified the authority of the breach in July 2024. The bank’s delayed notification became part of the problem, in fact, the regulator found that notifications to affected customers were incomplete and delayed beyond legally required deadlines.

The Access Control Problem Was Structural

The regulator’s investigation revealed that the problem extended beyond monitoring gaps. Employees at Intesa Sanpaolo were able to query large portions of the customer database in what regulators termed a “circular” access pattern without adequate counterbalancing controls. The regulator stated that the bank’s operating model allowed employees to query large portions of the customer database without adequate controls to prevent or detect unauthorized access.

The Garante concluded that Intesa Sanpaolo failed to meet core GDPR obligations around data integrity, confidentiality and accountability through effective technical and organisational measures. The €31.8 million penalty was calculated based on the severity and duration of the violations, the number of customers affected and the bank’s response after discovery.

Part of a Pattern of Regulatory Enforcement

This fine follows a €17.6 million penalty imposed on Intesa Sanpaolo on 13 March 2026 for unlawfully profiling 2.4 million customers during their transfer to digital subsidiary Isybank. The bank had analysed customer data including age, digital channel usage and account balances to determine which customers would be moved to the new platform without establishing a proper legal basis under GDPR.

The pattern suggests sustained regulatory scrutiny of Intesa Sanpaolo’s data handling practices across both security and usage violations. Both cases involved inadequate notification procedures and insufficient customer communication, issues that amplify the underlying data protection failures.

The timing is significant. European regulators have intensified GDPR enforcement in the banking sector with financial institutions facing heightened scrutiny due to the volume and sensitivity of customer data they manage. The repeated violations at Italy’s largest bank signal that size and reputation provide no protection from regulatory action when fundamental data protection controls fail.

Intesa Sanpaolo declined to comment on the latest fine. The bank has reportedly implemented corrective measures including enhanced monitoring systems, stricter access controls and improved employee oversight, though these changes came only after the breach was discovered and reported.