COMUNICATO STAMPA - Data breach, Garante privacy sanziona Intesa... - Garante Privacy

https://www.gpdp.it/garante/doc.jsp?ID=10235001
Success
Service
Specialism
2026-03-31 08:15:00 · adavies@vixio.com
Meta Id
3018613
GUID
2b9ff935a21fa2569d839f36689d6079

Pipeline Progress

🔄 Pipeline Journey

⏱ 10m 12s total
Queued 08:04:47
+10m0s
Metadata 08:14:47
+0s
S3 Content 08:14:47
+0s
Extracted 08:14:47
+6s
LLM Gen 08:14:53
+6s
Stored 08:14:59
TITLE: Italy's Data Protection Authority Fines Intesa Sanpaolo for Data Breach Affecting Over 3,500 Customers BODY: On March 30, 2026, Italy's Garante per la Protezione dei Dati Personali (Data Protection Authority) imposed a fine of €31.8 million on Intesa Sanpaolo S.p.A. for serious deficiencies in personal data security resulting from inadequate technical and organisational measures. The authority's investigation, initiated following a data breach notification by the bank in July 2024, determined that a bank employee accessed banking information belonging to 3,573 customers without justified reason, conducting over 6,600 unauthorised queries between February 21, 2022 and April 24, 2024. The internal control systems failed to detect these unauthorised accesses, revealing significant gaps in monitoring and prevention mechanisms. The unlawful access included data relating to high-risk customers, including individuals holding prominent public positions, for whom reinforced control safeguards should have been implemented. The authority found violations of the principles of data integrity, confidentiality, and accountability. The operational model permitted employees to query the entire customer database without adequate balancing controls to prevent and identify unjustified access. Additional deficiencies emerged in the bank's handling of the breach notification, which was incomplete and delayed beyond regulatory timeframes. Communication to affected individuals occurred only following a separate Data Protection Authority decision on November 2, 2024, compromising the authority's ability to intervene promptly to protect the rights and freedoms of those involved. In determining the fine amount, the authority considered the severity and duration of violations, the high number of affected customers, and corrective measures subsequently implemented by the institution to strengthen internal control systems and security safeguards. REFERENCES: Garante per la Protezione dei Dati Personali, Comunicato Stampa, March 30, 2026, available at: https://www.garanteprivacy.it/
  • Scraped:2026-03-31 08:15:00
  • Created:2026-03-31 08:14:59
  • By:adavies@vixio.com (41)