Italy's Largest Bank Fined $36M After Employee Snooped for Years

Italy's data protection authority has fined Intesa Sanpaolo €31.8 million ($36 million) after discovering a single employee accessed the banking information of 3,573 customers without authorization—for more than two years without detection.

The Italian Data Protection Authority (Garante) announced the penalty on March 30, 2026, citing "serious shortcomings in personal data security" at Italy's largest banking group. The fine follows a November 2024 admission by the bank that a former employee had improperly accessed client data.

Two Years of Unauthorized Access

Between February 21, 2022 and April 24, 2024, an employee made more than 6,600 unauthorized data queries across 3,573 customer accounts—an average of roughly 9 improper accesses per day.

The affected customers weren't random. The employee specifically targeted high-profile individuals including politicians, public figures, and even colleagues within the bank itself. These "high-risk" accounts should have received heightened monitoring under GDPR requirements, but the bank's systems failed to flag the suspicious access patterns.

"These unauthorized accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms," the regulator stated in its decision.

Systemic Architecture Failures

The fine wasn't just for the breach itself—it was for the architecture that made it possible.

Intesa Sanpaolo's systems "allowed operators to query the entire customer base in a fully circular manner" without adequate access controls. In plain terms: employees could look up any customer they wanted, and the bank had no effective way to detect when those lookups weren't job-related.

This violates the "need-to-know" principle fundamental to GDPR compliance. Employees should only have access to the specific data required for their roles, and that access should be logged and monitored.

The breach mirrors the access control failures we've seen in other major financial incidents, including the Lloyds Bank app glitch that exposed customer transaction data due to similar architectural weaknesses.

Delayed Notification Made It Worse

The regulatory penalty was aggravated because Intesa Sanpaolo failed to notify the regulator within GDPR's mandatory 72-hour window once the breach reached a critical threshold. Article 33 of GDPR requires prompt notification of personal data breaches to supervisory authorities—a requirement the bank violated.

Customer notifications were also incomplete and delivered after legal deadlines, according to the regulator's findings.

€50 Million in Fines This Quarter

This isn't Intesa Sanpaolo's first regulatory trouble. The €31.8 million penalty follows a previous €17.6 million fine related to the Isybank migration, bringing total regulatory penalties to nearly €50 million within a single quarter.

For context on data breach enforcement trends, GDPR fines have been escalating across Europe, with regulators increasingly willing to impose penalties that represent meaningful financial consequences for large institutions.

Why This Matters

Insider threats remain one of the most difficult security challenges for any organization. External attackers can be blocked at the perimeter; employees already have legitimate access to internal systems.

The Intesa Sanpaolo case demonstrates that detection capabilities matter as much as prevention. A single employee conducting suspicious queries for 26 months without triggering any alerts represents a fundamental monitoring failure.

Financial institutions handling sensitive customer data need:

1. Role-based access controls that limit data visibility to job requirements
2. Behavioral monitoring that flags unusual access patterns
3. Automated alerts when employees access accounts they have no business relationship with
4. Regular access audits that review who's looking at what

The €31.8 million fine sends a clear message: regulators expect organizations to detect insider abuse, not just prevent external attacks. "We didn't know" is not an acceptable defense when the tools to detect the abuse exist and weren't implemented.

Industry Implications

Banks and financial services firms should treat this case as a wake-up call. The fine formula under GDPR considers the severity and duration of violations, the number of customers affected, and what remedial actions were taken after discovery.

Intesa Sanpaolo checked every box for an aggravated penalty: long duration, high-profile victims, systemic architectural failures, and delayed notification. Organizations with similar access control weaknesses are exposed to similar regulatory risk.

For security teams evaluating their own insider threat programs, the question isn't whether employees could abuse their access—it's whether you would know if they did.

For more on protecting sensitive data and regulatory compliance, see our data breach defense resources and stay current with security news.