Intesa Sanpaolo Fined for Undetected Employee Data Breach Affecting 3,573 Customers
Italy’s data protection authority, the Garante, has imposed a fine on Intesa Sanpaolo after an internal investigation revealed a prolonged breach of customer data by one of its employees. Between February 2022 and April 2024, the employee accessed the banking information of 3,573 clients, conducting over 6,600 unauthorized consultations all without detection by the bank’s internal controls.
The Garante highlighted critical flaws in Intesa Sanpaolo’s monitoring systems, noting that the breach included high-profile individuals who should have been subject to stricter safeguards. While the bank has since implemented corrective measures to bolster its data security, the authority factored these improvements into its penalty decision.
Intesa Sanpaolo has not yet responded to requests for comment. The case underscores persistent vulnerabilities in financial institutions’ ability to prevent insider threats.
Intesa Sanpaolo cybersecurity rating report: https://www.rankiteo.com/company/intesa-sanpaolo
"id": "INT1774888625",
"linkid": "intesa-sanpaolo",
"type": "Breach",
"date": "2/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '3,573',
'industry': 'Financial Services',
'location': 'Italy',
'name': 'Intesa Sanpaolo',
'type': 'Bank'}],
'attack_vector': 'Insider Threat',
'data_breach': {'number_of_records_exposed': '3,573 clients, 6,600 '
'unauthorized consultations',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (included high-profile '
'individuals)',
'type_of_data_compromised': 'Banking information'},
'date_detected': '2024-04',
'description': 'Italy’s data protection authority, the Garante, has imposed a '
'fine on Intesa Sanpaolo after an internal investigation '
'revealed a prolonged breach of customer data by one of its '
'employees. Between February 2022 and April 2024, the employee '
'accessed the banking information of 3,573 clients, conducting '
'over 6,600 unauthorized consultations all without detection '
'by the bank’s internal controls. The Garante highlighted '
'critical flaws in Intesa Sanpaolo’s monitoring systems, '
'noting that the breach included high-profile individuals who '
'should have been subject to stricter safeguards. While the '
'bank has since implemented corrective measures to bolster its '
'data security, the authority factored these improvements into '
'its penalty decision.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Banking information of 3,573 clients',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Fines imposed by Garante',
'operational_impact': 'Critical flaws in monitoring systems',
'payment_information_risk': 'Yes'},
'investigation_status': 'Completed',
'lessons_learned': 'Persistent vulnerabilities in financial institutions’ '
'ability to prevent insider threats; need for stricter '
'safeguards for high-profile individuals',
'post_incident_analysis': {'corrective_actions': 'Implemented corrective '
'measures to bolster data '
'security; enhanced '
'monitoring',
'root_causes': 'Inadequate internal monitoring and '
'access controls'},
'recommendations': 'Improve internal monitoring and access controls; enhance '
'detection of unauthorized access',
'references': [{'source': 'Garante (Italy’s data protection authority)'}],
'regulatory_compliance': {'fines_imposed': 'Yes',
'regulations_violated': 'GDPR (Italy’s data '
'protection regulations)'},
'response': {'enhanced_monitoring': 'Yes',
'remediation_measures': 'Implemented corrective measures to '
'bolster data security'},
'threat_actor': 'Employee',
'title': 'Intesa Sanpaolo Fined for Undetected Employee Data Breach Affecting '
'3,573 Customers',
'type': 'Data Breach',
'vulnerability_exploited': 'Inadequate internal monitoring and access '
'controls'}