Privacy Guarantor sanctions Intesa Sanpaolo over 'data breach' for 31.8 million

The Italian Data Protection Authority announced in a note that it had imposed 'a sanction of EUR 31.8 million on Intesa Sanpaolo S.p.A. for serious shortcomings in the security of personal data due to the inadequacy of the technical and organisational measures adopted'.

"The Authority's investigation - initiated following the data breach notified by the bank in July 2024 - ascertained that an employee accessed, without justified reason, the banking information of 3,573 customers, making more than 6,600 consultations between 21 February 2022 and 24 April 2024. These undue accesses were not detected by the internal control systems, highlighting significant criticalities in the monitoring and prevention mechanisms," the note of the Privacy Guarantor underlines.

"The unlawful access also concerned data relating to 'high-risk' customers, including subjects with roles of public importance, for which stronger control measures would have been necessary," the note specifies, adding that the Authority had ascertained, in particular, "the violation of the principles of integrity and confidentiality of personal data, as well as of the principle of accountability, noting the overall inadequacy of the measures adopted. The operational model used, which allowed operators to query the entire customer base in full circularity, was not suitably balanced by suitable controls to prevent and identify unjustified accesses'.

Further critical issues, the note emphasises, 'emerged in the management of the data breach. The notification was incomplete and late with respect to the terms provided for by the legislation, as was the communication to the data subjects, which took place only after a previous provision of the Garante of 2 November 2024 (web doc. no. 10070521). Such conduct compromised the possibility of timely intervention by the Authority to protect the rights and freedoms of the persons concerned'.

"In the light of the violations found, the Garante considered the conduct put in place by Intesa Sanpaolo to be unlawful. In determining the amount of the sanction, the Authority took into account the seriousness and duration of the violations, the large number of customers involved, as well as the corrective measures adopted by the bank after the facts, aimed at strengthening its internal control systems and security safeguards," the note ends.