Italy data protection agency fines Intesa Sanpaolo $36 million over data breach

MILAN, (Reuters) - Italy’s data protection authority said on Monday it had fined the country’s biggest bank Intesa Sanpaolo 31.8 million euro ($36.41 million) over a data breach case that involved some 3,500 customers over two years.

 

According to the agency’s investigation, an Intesa employee accessed banking information of 3,573 customers, carrying out more than 6,600 consultations between February 2022 and April 2024.

 

"These unauthorised accesses went undetected by the bank’s internal control systems, revealing significant weaknesses in its monitoring and prevention mechanisms," the authority, known in Italy as the ’Garante’, said in a statement.

 

Intesa Sanpaolo did not immediately respond to a request for comment.

 

Among the clients affected were individuals with prominent public roles for whom enhanced control measures should have been in place, the Garante said.

 

In setting its fine, the authority said it took into account corrective measures subsequently adopted by the bank to strengthen its internal control systems and data security safeguards.

 

($1 = 0.8734 euros)

 

(Reporting by Elvira Pollina, editing by Cristina Carlevaro and Gavin Jones)