One employee. Over 6,600 database queries. Two full years of unrestricted snooping on 3,573 customer accounts — including politicians and public figures. And nobody at Italy’s largest bank noticed a thing.
On March 30, Italy’s data protection authority (the Garante) slapped Intesa Sanpaolo with a €31.8 million fine for what amounts to a systemic failure to protect customer data. The penalty is one of the largest GDPR fines imposed on a financial institution and sends a clear message: having security policies on paper means nothing if your systems can’t enforce them.
What Happened
Between February 2022 and April 2024, a single Intesa Sanpaolo employee repeatedly accessed banking information for thousands of customers without any legitimate business reason. The employee made over 6,600 queries across the bank’s internal systems, browsing account details of people far outside their assigned customer portfolio.
The targets weren’t random. Among the 3,573 affected customers were politicians, prominent public figures, and other high-profile individuals — exactly the kind of accounts that should have had extra protection layers. They didn’t.
The bank only disclosed the breach to regulators in July 2024, three months after the unauthorized access finally stopped. But the real scandal is what happened next: the Garante found that Intesa Sanpaolo’s notifications to affected customers were incomplete and arrived well past the legal deadline. Many customers only learned their banking data had been compromised after the regulator intervened in November 2024 — more than six months after the bank knew about it.
How the Detection Failed
The Garante’s investigation painted a damning picture of Intesa Sanpaolo’s internal controls. The bank’s monitoring systems were supposed to flag unusual data access patterns. They didn’t work.
The core problem was an overly permissive system design. Employees could query customer data across the entire system without adequate restrictions. There was no meaningful requirement to justify accessing information outside assigned portfolios. And the real-time monitoring that should have caught thousands of anomalous queries simply failed to trigger any alerts.
Regulators described the controls as having a fundamental gap between their design and their actual effectiveness. The bank had security measures on paper. In practice, those measures couldn’t detect an employee openly browsing sensitive data for 26 straight months.
The Fine
The €31.8 million penalty reflects several GDPR violations:
- Integrity and confidentiality — The bank failed to implement adequate technical measures to prevent unauthorized access
- Accountability — Internal controls existed in name but couldn’t actually detect or prevent misuse
- Breach notification — Late and incomplete communication to affected customers
- Enhanced protection failures — High-risk customers who should have received additional safeguards didn’t get them
The Garante calculated the penalty based on the severity and duration of the violations, the number of affected customers, and how management handled the aftermath. Intesa Sanpaolo declined to comment on the enforcement action.
The Insider Threat Problem
Most people picture data breaches as sophisticated external attacks — hackers exploiting zero-day vulnerabilities or deploying advanced malware. The Intesa Sanpaolo case is a reminder that some of the worst breaches come from the inside.
An insider with legitimate system access doesn’t need to bypass firewalls or crack encryption. They just need an employer with weak internal controls. And the data they access looks identical to normal business operations unless someone is actively watching for patterns that don’t make sense.
Banking data is particularly sensitive. Transaction histories reveal where you shop, what you spend, who you pay. Account details can be used for identity theft. And for public figures, financial records can be weaponized for political purposes or blackmail.
This wasn’t a sophisticated operation. One person, running database queries through the bank’s own systems, for two years. The simplicity of it makes the detection failure even harder to justify.
Why This Matters
The Intesa Sanpaolo fine lands at a moment when GDPR enforcement is getting sharper. The European Data Protection Board made transparency its coordinated enforcement priority for 2026, and regulators across Europe are signalling less patience with organisations that treat data protection as a box-ticking exercise.
For banking customers, the case raises uncomfortable questions. If Italy’s largest bank — with all its resources and regulatory obligations — couldn’t detect a single employee browsing thousands of accounts for two years, what’s happening at smaller institutions? What access do bank employees have to your financial data right now, and who’s watching?
The honest answer for most banks: the access is broader than you’d like, and the monitoring is weaker than it should be. Intesa Sanpaolo isn’t unique. They’re just the one that got caught and fined.
Protecting Your Financial Privacy
You can’t control how your bank monitors employee access to your data, but you can make informed choices:
- Ask your bank what internal access controls they use and whether they monitor employee data access in real time
- Minimise the data you share — don’t provide information your bank doesn’t strictly need
- Watch your accounts for any activity or communications you don’t recognise
- Consider privacy-first alternatives where your financial data stays under your control with end-to-end encryption
- Know your rights — under GDPR, you can request a record of who has accessed your personal data and when
The Intesa Sanpaolo case proves that trusting a large institution with your data isn’t the same as that data being safe. Size doesn’t equal security. Reputation doesn’t equal accountability. Only verified, enforced controls do — and as this €31.8 million fine shows, even major banks can fail that test spectacularly.