Italian Regulators Fine Intesa Sanpaolo €31.8M for Unauthorized Customer Data Access
Italian regulators imposed a €31.8 million ($36 million) fine on Intesa Sanpaolo, one of the country’s largest financial institutions, for improperly accessing the banking data of over 3,500 customers over a two-year period. The Italian Data Protection Authority (DPA) cited "serious shortcomings in personal data security" due to inadequate technical and organizational safeguards.
The investigation, triggered by a data breach disclosed by the bank in July 2024, revealed that an employee accessed the accounts of 3,573 customers between February 2022 and April 2024 without legitimate justification. The DPA noted that internal controls failed to detect these unauthorized accesses, exposing critical weaknesses in monitoring and prevention mechanisms. The bank’s system allowed unrestricted queries of the entire customer database, lacking sufficient safeguards to flag improper activity.
Among the affected customers were "high-risk" individuals, including public figures, whom the regulator stated should have been subject to enhanced protections. The DPA also criticized Intesa Sanpaolo’s response to the breach, citing incomplete and delayed notifications to impacted customers, which violated legal deadlines.
The fine reflects the severity and duration of the violations, the number of affected individuals, and the bank’s post-discovery remediation efforts. Intesa Sanpaolo has not publicly commented on the penalty.
Source: https://therecord.media/italian-regulator-fines-financial-giant-36-million
Intesa Sanpaolo cybersecurity rating report: https://www.rankiteo.com/company/intesa-sanpaolo
"id": "INT1774895581",
"linkid": "intesa-sanpaolo",
"type": "Breach",
"date": "7/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '3,573',
'industry': 'Banking',
'location': 'Italy',
'name': 'Intesa Sanpaolo',
'size': 'Large',
'type': 'Financial Institution'}],
'attack_vector': 'Insider Threat',
'customer_advisories': 'Delayed and incomplete notifications to impacted '
'customers',
'data_breach': {'number_of_records_exposed': '3,573',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (included high-risk individuals '
'such as public figures)',
'type_of_data_compromised': 'Banking data, personally '
'identifiable information'},
'date_detected': '2024-07',
'date_publicly_disclosed': '2024-07',
'description': 'Italian regulators imposed a €31.8 million ($36 million) fine '
'on Intesa Sanpaolo for improperly accessing the banking data '
'of over 3,500 customers over a two-year period. The Italian '
"Data Protection Authority (DPA) cited 'serious shortcomings "
"in personal data security' due to inadequate technical and "
'organizational safeguards.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Banking data of 3,573 customers',
'financial_loss': '€31.8M fine',
'identity_theft_risk': 'Yes',
'legal_liabilities': 'Regulatory fines and violations',
'operational_impact': 'Weaknesses in monitoring and prevention '
'mechanisms',
'payment_information_risk': 'Yes',
'systems_affected': 'Customer database'},
'initial_access_broker': {'high_value_targets': 'Public figures and high-risk '
'individuals'},
'investigation_status': 'Completed',
'lessons_learned': 'Inadequate internal controls and monitoring can lead to '
'unauthorized data access, especially for high-risk '
'individuals. Timely and complete customer notifications '
'are critical.',
'post_incident_analysis': {'corrective_actions': 'Enhanced safeguards, '
'stricter access controls, '
'improved monitoring '
'mechanisms',
'root_causes': 'Inadequate technical and '
'organizational safeguards, '
'unrestricted database queries, '
'lack of sufficient monitoring to '
'flag improper activity'},
'recommendations': 'Implement stricter access controls, enhance monitoring '
'mechanisms, ensure timely regulatory notifications, and '
'apply enhanced protections for high-risk individuals.',
'references': [{'source': 'Italian Data Protection Authority (DPA)'}],
'regulatory_compliance': {'fines_imposed': '€31.8M',
'regulations_violated': 'GDPR, Italian data '
'protection laws',
'regulatory_notifications': 'Delayed and '
'incomplete'},
'response': {'communication_strategy': 'Incomplete and delayed notifications '
'to impacted customers',
'enhanced_monitoring': 'Planned',
'remediation_measures': 'Enhanced safeguards and monitoring '
'mechanisms'},
'threat_actor': 'Employee',
'title': 'Italian Regulators Fine Intesa Sanpaolo €31.8M for Unauthorized '
'Customer Data Access',
'type': 'Unauthorized Data Access',
'vulnerability_exploited': 'Inadequate internal controls and monitoring '
'mechanisms'}