Intesa Sanpaolo Fined $36M for Insider Threat Failures -- Lessons for Every Business

TL;DR

  • Italy's Data Protection Authority (Garante) fined Intesa Sanpaolo 31.8 million euros ($36M) after a single employee accessed 3,573 customer banking records without authorization over a 26-month period.
  • The bank's internal controls failed to detect or prevent the unauthorized access despite existing monitoring systems, revealing systemic gaps in insider threat detection.
  • The operating model allowed frontline employees to query the entire customer database without role-based restrictions, a design flaw that turned a single rogue actor into a material data breach.
  • Every business handling sensitive data should treat this as a case study in what happens when access controls exist on paper but not in practice.

What Did the Intesa Sanpaolo Employee Do?

Between February 2022 and April 2024, a single employee at Intesa Sanpaolo -- Italy's largest bank by assets -- accessed the banking information of 3,573 customers without any legitimate business purpose [1]. The records included account balances, transaction histories, and personal financial data. Among the targets were high-profile public figures, amplifying the reputational impact [2].​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​‌‌​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​​

‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The employee was not a sophisticated hacker. No malware was deployed. The individual used standard workstation credentials to query records through the bank's normal systems. This was a failure of controls, not technology.

Why Did the Internal Controls Fail?

The Garante's investigation revealed two systemic failures that transformed a policy violation into a 31.8 million euro enforcement action.​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​‌‌​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Unrestricted Query Access

Intesa Sanpaolo's operating model permitted frontline banking employees to query the entire customer database without restrictions tied to their role, branch, or active customer relationships [1]. This is the equivalent of giving every employee a master key to every room in a building and then being surprised when someone enters a room they should not.

In a properly configured system, a branch employee in Milan should only be able to access records for customers assigned to their branch or those they are actively servicing. The principle of least privilege -- granting only the access necessary to perform a specific job function -- is a foundational security control documented in every major framework from NIST to ISO 27001 [3][4].

Detection Lag

The unauthorized access continued for over 26 months. Even if the bank had logging in place, the absence of effective anomaly detection meant that an employee querying thousands of records outside their normal workflow went unnoticed until the activity was reported through other channels [2]. User and Entity Behavior Analytics (UEBA) systems are designed precisely for this scenario: establishing baseline behavior and alerting on deviations [5].

What Are the Regulatory Consequences?

The Garante imposed its fine under the General Data Protection Regulation (GDPR), specifically citing violations of Articles 5, 25, 32, and 34 [1]:

  • Article 5 (Data Processing Principles): The bank failed to ensure data was processed lawfully and with appropriate integrity safeguards.
  • Article 25 (Data Protection by Design): The system architecture did not embed access restrictions into its design.
  • Article 32 (Security of Processing): Technical and organizational measures were inadequate to prevent unauthorized access.
  • Article 34 (Communication of Breach): The bank failed to notify affected customers within the legally required timeframe.

The notification failure is particularly significant. GDPR requires controllers to communicate high-risk breaches to affected individuals "without undue delay" [6]. By failing to meet this obligation, Intesa Sanpaolo compounded its regulatory exposure.

How Does This Apply to Non-Banking Businesses?

The insider threat problem is not unique to banking. Any organization where employees access customer data -- healthcare providers, law firms, SaaS platforms, retailers -- faces identical risk. The Ponemon Institute found the average annual cost of insider threats reached $16.2 million per organization, with the median containment time of 86 days [7].

Practical steps for any business:

  1. Implement role-based access control (RBAC). Map every data access permission to a specific job function. Review and recertify access quarterly [3].

  2. Deploy behavioral analytics. Establish baseline query patterns for each role. Alert on volume anomalies, off-hours access, and access outside an employee's assigned scope [5].

  3. Conduct access audits. Pull access logs monthly. Compare actual patterns to documented business justifications. Investigate discrepancies within 48 hours.

  4. Enforce separation of duties. No single employee should be able to both access sensitive data and modify the audit trail for that access.

  5. Document notification procedures. Under GDPR, CCPA, and most breach notification laws, the clock starts at discovery. Have pre-drafted templates and a decision tree for notification obligations [6][8].

What Is the ROI of Insider Threat Prevention?

For Intesa Sanpaolo, the direct cost of this failure is $36 million in fines alone, before accounting for legal fees, remediation costs, and reputational damage. A comprehensive insider threat program for a mid-market organization costs between $150,000 and $500,000 annually, including UEBA tooling, access governance, and audit staffing.

The math is not complicated. The question is whether the investment happens before or after the enforcement action.

FAQ

GDPR applies to any organization that processes personal data of EU residents, regardless of where the company is headquartered. If your business has EU customers, clients, or employees, you are subject to these requirements and potential fines of up to 4% of global annual revenue or 20 million euros, whichever is higher [6].

Behavioral analytics tools compare each user's access patterns against a baseline. Warning signs include accessing records outside assigned accounts, querying unusually high volumes of records, accessing data during non-working hours, and searching for specific high-profile individuals without a documented business reason [5].

An insider threat is a specific type of data breach where the unauthorized access originates from someone within the organization -- an employee, contractor, or business partner. Not all data breaches are insider threats (many involve external attackers), but insider threats are often harder to detect because the individual already has legitimate system access [7].

RBAC is necessary but not sufficient. It limits the scope of what an employee can access, but it does not prevent misuse within the granted scope. Combining RBAC with behavioral monitoring, access logging, and periodic audits creates a layered defense that addresses both over-provisioned access and misuse of legitimate access [3][4].

GDPR Article 34 requires controllers to notify affected individuals "without undue delay" when a breach is likely to result in a high risk to their rights and freedoms. Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach [6].

Your access controls should catch rogue insiders before regulators do. Book a consultation with lilMONSTER to assess your insider threat posture, access governance, and regulatory readiness.

References

[1] Garante per la protezione dei dati personali, "Provvedimento nei confronti di Intesa Sanpaolo S.p.A.," Garanteprivacy.it, 2026. [Online]. Available: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/

[2] Reuters, "Italy fines Intesa Sanpaolo over employee data snooping," Reuters.com, 2026. [Online]. Available: https://www.reuters.com/business/finance/

[3] National Institute of Standards and Technology, "NIST Special Publication 800-53 Rev. 5: Security and Privacy Controls," NIST.gov, Sep. 2020. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

[4] International Organization for Standardization, "ISO/IEC 27001:2022 Information Security Management Systems," ISO.org, 2022. [Online]. Available: https://www.iso.org/standard/27001

[5] Gartner, "Market Guide for User and Entity Behavior Analytics," Gartner.com, 2024. [Online]. Available: https://www.gartner.com/en/documents/ueba-market-guide

[6] European Parliament and Council, "Regulation (EU) 2016/679 (General Data Protection Regulation)," EUR-Lex, Apr. 27, 2016. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2016/679/oj

[7] Ponemon Institute, "2024 Cost of Insider Threats Global Report," Ponemon.org, 2024. [Online]. Available: https://www.ponemon.org/research/cost-of-insider-threats.html

[8] California Office of the Attorney General, "California Consumer Privacy Act (CCPA)," OAG.ca.gov, 2024. [Online]. Available: https://oag.ca.gov/privacy/ccpa

Intesa Sanpaolo's $36 Million Fine Explained Simply

TL;DR

  • A bank employee snooped on 3,573 customers' accounts for over two years without getting caught.
  • The bank got fined $36 million because its security systems did not stop or notice it.
  • The bank also failed to tell affected customers on time, making things worse.
  • Every business with customer data needs rules about who can look at what.

What Happened?

Imagine your school has a computer where teachers can look up any student's grades. One teacher -- who only teaches math to fifth graders -- spent two years looking up every student's grades in every subject. Nobody noticed because the system had no alarms.

That is what happened at Intesa Sanpaolo, one of Italy's biggest banks. One employee spent over two years looking at private bank account information of 3,573 customers. They did not hack anything -- they just used their normal login. The bank let every employee see every customer's information with no limits.

Why Was the Fine So Large?

  1. No locks on the doors. The system let employees look at any record, even unrelated customers. It is like giving every teacher a key to the principal's office just because they work there.
  2. No alarm system. The employee looked at thousands of records without any red flags. A good system would notice and send an alert.
  3. Late notification. When the bank found out, they did not tell affected customers fast enough, breaking European privacy law.

What Can Businesses Do?

  1. Only give people access to what they need. If someone helps customers in one city, they should not see records from another.
  2. Set up alerts for unusual behavior. If an employee normally views 20 records per day and suddenly views 200, the system should notify a manager.
  3. Have a notification plan ready. Write a plan for telling affected customers quickly -- before you need it.

FAQ

An insider threat is when someone who works at a company misuses their access to look at or steal information. It is like a teammate who peeks at the answer key -- they already have access to the classroom.

The bank is responsible for setting up security rules. If a school lets students walk freely into the teachers' lounge and one reads confidential files, the school is responsible for not locking the door.

Yes. Any business where employees access customer information has this risk. Smaller businesses can often fix it faster because they have fewer systems.

GDPR is a set of European rules protecting personal information. Companies must keep data safe and tell people if something goes wrong. Breaking these rules leads to large fines.

References

[1] GPDP, "Garante Privacy fines Intesa Sanpaolo €33M for GDPR violations," Garante per la protezione dei dati personali, Mar. 2026. [Online]. Available: https://www.garanteprivacy.it/

[2] J. Greig, "Italian bank Intesa Sanpaolo fined $36 million over insider data snooping," The Record by Recorded Future, Mar. 2026. [Online]. Available: https://therecord.media/intesa-sanpaolo-fine-insider-threat-gdpr

[3] NIST, "SP 800-53: Security and Privacy Controls — Access Control Family," National Institute of Standards and Technology, 2024. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

[4] CISA, "Insider Threat Mitigation Guide," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/topics/physical-security/insider-threat-mitigation

Want to make sure your team only sees the data they need? Talk to lilMONSTER for a plain-language access control review.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation