Italian Data Protection Authority Fines Intesa Sanpaolo €36 Million for Major Data Breach
Italy’s data protection authority (Garante per la Protezione dei Dati Personali) has imposed a €36 million fine on Intesa Sanpaolo, one of the country’s largest banking groups, following a significant data breach. The penalty stems from violations of the EU’s General Data Protection Regulation (GDPR), including inadequate security measures that exposed sensitive customer data.
The breach, which came to light in 2025, involved unauthorized access to personal and financial information of millions of Intesa Sanpaolo customers. While the exact timeline of the incident remains undisclosed, the regulator determined that the bank failed to implement sufficient safeguards to prevent the exposure, leading to the hefty fine.
The case underscores the growing scrutiny of financial institutions over GDPR compliance, particularly in handling large-scale customer data. Intesa Sanpaolo has not publicly disputed the fine but has indicated plans to enhance its cybersecurity protocols in response. The decision serves as a reminder of the legal and financial consequences for organizations failing to protect user data under EU privacy laws.
Intesa Sanpaolo cybersecurity rating report: https://www.rankiteo.com/company/intesa-sanpaolo
"id": "INT1774888779",
"linkid": "intesa-sanpaolo",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Millions',
'industry': 'Financial Services',
'location': 'Italy',
'name': 'Intesa Sanpaolo',
'size': 'Large',
'type': 'Banking Group'}],
'data_breach': {'number_of_records_exposed': 'Millions',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal information',
'Financial information']},
'date_publicly_disclosed': '2025',
'description': 'Italy’s data protection authority (Garante per la Protezione '
'dei Dati Personali) imposed a €36 million fine on Intesa '
'Sanpaolo, one of the country’s largest banking groups, '
'following a significant data breach. The breach involved '
'unauthorized access to personal and financial information of '
'millions of customers due to inadequate security measures, '
'violating the EU’s General Data Protection Regulation (GDPR).',
'impact': {'brand_reputation_impact': 'Likely significant',
'data_compromised': 'Personal and financial information',
'financial_loss': '€36 million (fine)',
'identity_theft_risk': 'High',
'legal_liabilities': 'GDPR violation',
'payment_information_risk': 'High'},
'investigation_status': 'Completed (fine imposed)',
'lessons_learned': 'The incident highlights the importance of robust '
'cybersecurity measures and GDPR compliance for financial '
'institutions handling large-scale customer data.',
'post_incident_analysis': {'corrective_actions': 'Enhance cybersecurity '
'protocols',
'root_causes': 'Inadequate security measures'},
'recommendations': 'Enhance security protocols, conduct regular audits, and '
'ensure compliance with data protection regulations.',
'references': [{'source': 'Garante per la Protezione dei Dati Personali'}],
'regulatory_compliance': {'fines_imposed': '€36 million',
'regulations_violated': ['GDPR']},
'response': {'remediation_measures': 'Enhance cybersecurity protocols'},
'title': 'Intesa Sanpaolo Data Breach and GDPR Violation',
'type': 'Data Breach',
'vulnerability_exploited': 'Inadequate security measures'}