Introduction
When we talk about cybersecurity breaches, the common imagination conjures up anonymous hackers attacking from the outside. Yet some of the most serious threats originate from within organizations themselves. The recent case involving Intesa Sanpaolo, one of Italy’s largest banking institutions, is a concrete and instructive example of this.
What Happened
Between February 21, 2022 and April 24, 2024, a single Intesa Sanpaolo employee made over 6,600 unauthorized accesses to the bank’s databases, without any legitimate professional reason for doing so. During this period, the data of 3,573 customers was unlawfully accessed. Among the affected customers were individuals holding prominent public roles, which made the situation even more sensitive from a privacy standpoint.
This incident does not involve a cyberattack carried out by external criminals, but rather what experts call an insider threat: a person who, already having access to corporate systems for work purposes, exploited that position to view information they had no right to see.
On March 30, 2026, the Garante per la protezione dei dati personali — Italy’s data protection supervisory authority — issued Intesa Sanpaolo a fine of €31.8 million for violations of the General Data Protection Regulation, known as the GDPR. The charges primarily concern three aspects: the absence of adequate technical and organizational measures to prevent unauthorized access, the lack of systems capable of detecting anomalous behavior in a timely manner, and a delay in notifying the relevant authorities of the breach.
Why It Matters
This episode highlights an often underestimated reality: even large organizations, equipped with significant resources, can be vulnerable when they lack adequate tools to monitor employee behavior within their information systems. The fact that the unlawful conduct continued for over two years without being detected points to gaps in internal controls. For the customers involved, the breach may have exposed sensitive information to misuse, although the exact nature of such misuse remains, at least publicly, not entirely clarified.
What Companies and Users Can Do
Companies should invest in internal access monitoring systems to detect unusual behavior — such as an abnormal number of data queries — and respond promptly. It is equally important to train staff on responsible information handling and to clearly define who can access which data.
Citizens, for their part, have the right to know whether their data has been involved in a breach. If in doubt, they can contact their bank directly or reach out to the data protection authority.
Final Takeaways
- Cybersecurity threats do not come only from the outside: insider risks require equal attention and dedicated monitoring tools.
- The absence of anomaly detection systems can allow a breach to persist for years before being discovered.
- GDPR penalties are real and significant: in the Intesa Sanpaolo case, the fine reached €31.8 million, demonstrating how seriously authorities take the protection of personal data.
Sources:
https://captaincompliance.com/education/italian-data-protection-authority-slaps-intesa-sanpaolo-with-e31-8-million-fine-over-massive-insider-data-breach/
https://www.gblock.app/articles/intesa-sanpaolo-gdpr-insider-fine
https://www.dataguidance.com/news/italy-garante-fines-intesa-sanpaolo-eu31m-unlawful
https://cybernews.com/security/italian-bank-fined-eur31-8m-employee-snoop-3500-customers/
https://therecord.media/italian-regulator-fines-financial-giant-36-million
Source: DataBreaches