One Employee Snooped on 3,573 Bank Accounts for Two Years—The Bank Got Fined €31.8 Million for Not Noticing

How the Bank Failed

The Garante's investigation found "serious shortcomings in personal data security, due to the inadequacy of the technical and organizational measures adopted." The bank's operating model allowed individual employees to query the entire customer database without sufficient safeguards. Specific failures included:

• No anomaly detection on access patterns, even when a single employee ran thousands of queries outside their job scope
• No strengthened controls for high risk accounts, including those belonging to public figures
• An access model that was structurally flawed, allowing "broad access to customer data without sufficiently robust safeguards"
• Breach notifications that were both late and incomplete, with customer communication delayed until after the regulator intervened in November 2024

The Fine

The Garante imposed a €31.8 million fine, approximately $36 million, on Intesa Sanpaolo. The penalty reflected the severity and duration of the violations, the number of affected customers, and the bank's remedial actions taken after discovery. For a bank with over €6.5 billion in annual net income, the fine represents less than half a percent of yearly earnings.

This was not Intesa Sanpaolo's only privacy problem in 2026. In a separate enforcement action earlier in March, the same regulator fined the bank an additional €17.6 million for profiling approximately 2.4 million customers without valid legal basis. The bank had used the profiling to determine which customers would be transferred to its digital subsidiary, Isybank, without transparent communication or proper consent.

The Insider Threat Problem

External hackers get the headlines, but insider threats cause some of the most damaging breaches. Employees with legitimate system access can browse, copy, or exfiltrate data without tripping the firewalls and intrusion detection systems designed to stop outsiders. The Intesa case is a textbook example: no malware, no exploitation, just an employee with a browser and too much access.

This pattern is not unique to banking. Healthcare organizations have faced similar enforcement actions when employees accessed patient records out of curiosity. The core issue is the same: organizations grant broad access for operational convenience and fail to monitor how that access is actually used.

What GDPR Requires

Under GDPR, organizations must implement "appropriate technical and organizational measures" to protect personal data. For financial institutions handling sensitive account information, regulators expect:

• Role based access controls that limit data visibility to what each employee needs
• Automated monitoring that flags unusual access patterns in real time
• Enhanced protections for high risk data subjects, including public figures
• Timely breach notification to both regulators and affected individuals

Intesa Sanpaolo failed on every count. The case joins a growing list of GDPR enforcement actions that demonstrate regulators are increasingly willing to impose substantial fines for inadequate security, not just for data breaches caused by external attackers. As cumulative GDPR fines now exceed €7.1 billion, the cost of inadequate data protection keeps climbing.

What You Can Do

If you are a customer of any financial institution, you have limited control over how employees access your data internally. But you can take steps to limit your exposure:

• Request access logs under GDPR Article 15 to see who has viewed your data
• Minimize the personal information you store with financial institutions beyond what is legally required
• Monitor your accounts for unusual activity that could indicate compromised data
• Support regulations that require stronger data access controls and breach notification standards