An Italian bank was fined millions of euros after an employee accessed thousands of customer accounts without permission. Learn what went wrong and why weak internal controls put data at risk.
Table of Contents
What Happened
According to Cybernews, Italy’s data protection authority (GPDP) fined Intesa Sanpaolo €31.8 million. This bank is one of the largest banking groups in Italy and Europe. Regulators found serious failures in how the bank protected customer data.
The issue came to light after the bank reported a data breach in July 2024, and regulators completed their investigation and issued the fine in 2026.
The investigation shows that an employee accessed the banking information of 3,573 customers more than 6,600 times between February 2022 and April 2024. The employee was not authorized to view this data and had no right to access it.
The data included sensitive financial details, and many of the affected customers were considered high-risk, including public figures.
Importantly, the bank did not detect this activity at the time, raising concerns about how well the bank controls access to customer data.
How This Happened — and What Went Wrong
This was not an external cyberattack, but an internal failure.
Regulators found that the bank did not have proper systems to track how the employee accessed customer data. There were no tools to detect unusual behavior or limit access to sensitive information.
The employee could search large parts of the customer database without limits or real-time alerts. There were no strong safeguards to prevent or quickly identify this case.
Oversight mechanisms were also weak. The bank did not properly review or check employee activity over time, which allowed the issue to continue.
The investigation also found gaps in transparency, as customers were not clearly informed about how their data was accessed and used.
Authorities claimed that both technical protections and internal controls were not strong enough. This showed critical weaknesses in how the bank managed and protected personal data.
What Regulators Require From the Bank
Following the investigation, regulators are requiring Intesa Sanpaolo to improve how it handles customer data.
They instructed the bank to:
- clearly explain what data it collects and why
- limit data collection to what is strictly necessary
- document the legal basis for processing personal information
- improve data accuracy and security
The authority set the fine based on how serious and long the violations were, as well as how many customers were affected. Regulators also took into account what the bank has already done to fix the issue.
Futureproof monitors your data and warns you about risks before they turn into scams or account misuse. Get started today to stay protected all year long.
The Key Takeaway From This Case
This incident shows just how vulnerable your information is, even without a hacker taking it away from you.
When internal controls are weak, someone can get access to sensitive information and use it against you — without anyone noticing.
And this is not rare: in 2025, around 22% of data breaches started with stolen or misused access info. Once someone gets that access — even limited — they can use it for phishing, impersonation, or scam messages.
Although you can’t control how a bank handles your data, you can reduce future risks by protecting your own accounts and staying alert.
Tools like Futureproof help you stay ahead by monitoring your data and alerting you early — before small risks turn into bigger problems.
At Futureproof, Kevin makes online safety feel human with clear steps, real examples, and zero fluff. He holds a degree in information technology and studies fraud trends to keep his tips up-to-date.
In his free time, Kevin plays with his cat, enjoys board-game nights, and hunts for New York’s best cinnamon rolls.
