Italian bank Intesa Sanpaolo SpA fined €31.8m over data protection failures

The Italian Data Protection Authority has slapped Italian international banking group Intesa Sanpaolo S.p.A. with a fine of €31.8 million after it found that an employee accessed banking details of over 3,500 customers without authorisation.

 

The major privacy breach occurred between February 21, 2022, and April 24, 2024, when an employee of the bank posted to the Agribusiness branch in Barletta accessed the personal and banking information of thousands of customers without just cause and without obtaining prior authorisation from the affected customers. 

 

The bank first identified unusual data access queries made by the said employee in early 2024, and informed the Italian Data Protection Authority on July 17, 2024, that the employee, posted as the Manager of the Agribusiness branch, accessed the personal and banking information of about 9 banking customers since February 21, 2022.

 

The bank told the data protection watchdog that it became aware of the event during periodic "second-level checks regarding potential anomalies in access to banking data by employees, detected by the alert systems adopted." The bank said the data access did not pose any significant risks to the victims’ rights and freedoms. The bank subsequently announced on August 30, 2024, that it had ordered the dismissal of the erring employee.

 

The Data Protection Authority re-opened its investigation in October 2024 following press reports that an employee of the bank had improperly accessed the banking information of thousands of customers. When it contacted the bank again, the bank admitted that a detailed audit revealed that the employee had, in fact, made more than 6,600 access requests related to the bank accounts of 3,572 customers.

 

The list of victims included 34 politicians representing both center-right and center-left political forces; 43 nationally renowned figures from the world of entertainment, sports, and news; and 43 employees of Intesa Sanpaolo bank, including senior figures.

 

The bank told the Data Protection Authority that it did not inform the affected customers about the incident as it deemed that the incident did not pose high risks to the rights and freedoms of the victims. Instead, the bank proposed to send letters to its entire customer base of 13 million individuals to inform them about the incident and the measures it had adopted in response.

 

When announcing the €31.8 million fine on Intesa Sanpaolo SpA on Monday, the Data Protection Authority said it found significant weaknesses in the monitoring and prevention mechanisms implemented by the bank as its internal control systems did not detect the unauthorised access when it occurred.

 

"The operating model used, which allowed operators to query the entire customer base in a fully circular manner, was not adequately balanced by controls designed to prevent and identify unauthorised access," it noted. 

 

The authority also found issues with how the bank responded to the incident and sought to downplay its impact on customers’ data privacy and security. "The notification was incomplete and late compared to the deadlines required by law, as was the communication to the data subjects, which occurred only following a previous provision by the Guarantor dated November 2, 2024," it said. 

 

"In determining the amount of the fine, the Authority took into account the severity and duration of the violations, the large number of customers involved, as well as the corrective measures adopted by the institution following the incidents, aimed at strengthening internal control systems and security measures," it added.