Italy’s privacy authority orders Intesa Sanpaolo to address high-risk data breach

Italy’s data protection authority has issued a strong rebuke to Intesa Sanpaolo (ISP.MI), accusing the bank of downplaying the severity of a data breach affecting approximately 3,500 customers, including prominent Italian figures such as Prime Minister Giorgia Meloni. The Privacy Guarantor, Italy’s national data privacy watchdog, asserted on Tuesday that Intesa Sanpaolo had underestimated the risk the breach posed to the rights and freedoms of individuals involved and instructed the bank to inform all impacted customers within 20 days.

The breach reportedly involved an Intesa Sanpaolo employee who accessed confidential client information, prompting the bank to take disciplinary action. Initially, the employee was suspended and dismissed after an internal investigation confirmed unauthorized data access. The case, which came to light through media reports, triggered heightened scrutiny from the Privacy Guarantor and public prosecutors in Bari, who are investigating the employee for unauthorized computer access.

Intesa Sanpaolo conducted a preliminary audit in response to the incident and reported the breach to the Privacy Guarantor. However, the authority criticized the bank for failing to adequately disclose the scale of the breach in its initial reports, which became apparent only after media coverage. The Privacy Guarantor stated that the nature of the data accessed and the potential impact on customers, including financial information and possible reputational damage, constituted a “high-risk” incident that required immediate corrective measures.

Intesa Sanpaolo acknowledged that further checks indicated the breach affected fewer customers than initially reported. However, the Privacy Guarantor has insisted that the breach still poses significant risks, mandating the bank to provide detailed updates on the security measures implemented to prevent further incidents.

In an official statement, Intesa emphasized its commitment to data security and transparency, confirming that it had already started to address the watchdog’s requirements and had taken steps to enhance its internal control systems. The bank assured “maximum cooperation” with regulatory authorities and underscored that there is no indication that the compromised data has been shared outside the organization.

The Privacy Guarantor, meanwhile, has stated it will evaluate the adequacy of Intesa Sanpaolo’s security measures through a continuing investigation and has required the bank to submit a comprehensive report within 30 days. The bank’s response will be reviewed to determine if further action is needed to ensure compliance with data protection standards.