Full Report
From the Garante’s press release, below, it sounds like the banking group experienced an insider-wrongdoing breach in which an employee improperly accessed 3,573 customer accounts over a period of two years. Data breach: The Italian Data Protection Authority fines Intesa Sanpaolo €31.8 million for unauthorized access to the banking information of over 3,500 customers for... Source
Analysis Summary
# Incident Report: Intesa Sanpaolo Insider Data Breach
## Executive Summary
An employee at Intesa Sanpaolo improperly accessed the banking information of over 3,500 customers, including high-profile public figures, over a two-year period. The breach resulted from inadequate internal monitoring systems and a "circular" access model that allowed unjustified record querying. Consequently, the Italian Data Protection Authority (Garante) imposed a €31.8 million fine for security shortcomings and delayed breach notification.
## Incident Details
- **Discovery Date:** July 2024 (Date reported by the bank)
- **Incident Date:** February 21, 2022 – April 24, 2024
- **Affected Organization:** Intesa Sanpaolo SpA
- **Sector:** Financial Services / Banking
- **Geography:** Italy
## Timeline of Events
### Initial Access
- **Date/Time:** February 21, 2022
- **Vector:** Authorized Internal Access (Insider Threat)
- **Details:** A bank employee utilized existing valid credentials to begin querying customer data without professional justification.
### Lateral Movement
- **Details:** Lateral movement was not strictly required in the traditional sense; the employee leveraged a "fully circular" operating model that allowed them to search the bank’s entire customer base from their existing position.
### Data Exfiltration/Impact
- **Details:** Over a period of 26 months, the employee conducted more than 6,600 unauthorized inquiries into the banking records of 3,573 customers. This included sensitive data on high-risk individuals and public officials.
### Detection & Response
- **July 2024:** The bank reportedly detected the breach and notified the Authority.
- **November 2, 2024:** The Authority issued a provision (web doc. no. 10070521) following the bank's initial failure to properly notify affected data subjects.
- **March 30, 2026:** Final determination of the €31.8 million fine by the Italian Data Protection Authority.
## Attack Methodology
- **Initial Access:** Valid employee credentials.
- **Persistence:** Long-term unauthorized access maintained for over two years.
- **Privilege Escalation:** Not applicable; the user abused existing broad access rights.
- **Defense Evasion:** The employee’s activities were not flagged by internal monitoring or anomaly detection systems for 26 months.
- **Credential Access:** Misuse of legitimately assigned internal credentials.
- **Discovery:** Circular querying of the bank’s entire customer database.
- **Collection:** Manual or systemic querying of over 6,600 banking records.
- **Impact:** Violation of integrity and confidentiality; unauthorized disclosure of financial personal data.
## Impact Assessment
- **Financial:** €31.8 million (Approx. $34.5M USD) administrative fine.
- **Data Breach:** Compromise of 3,573 customer accounts, including those of high-risk public figures.
- **Operational:** Forced revision of technical and organizational security measures.
- **Reputational:** Public regulatory rebuke highlighting "serious shortcomings" in data security and lack of transparency with customers.
## Indicators of Compromise
- **Behavioral indicators:** High volume of database queries (6,600+) performed by a single user account without corresponding business justification or assigned case files.
- **Behavioral indicators:** Access to "high-risk" or VIP customer records by an unauthorized employee.
## Response Actions
- **Containment:** Termination of the employee's unauthorized access.
- **Eradication:** Investigation into the scope of the unauthorized queries.
- **Recovery:** Strengthening of internal control systems and revision of the customer database access model.
- **Regulatory:** Belated notification of the Italian Data Protection Authority and subsequent notification of data subjects.
## Lessons Learned
- **Monitoring Gaps:** Internal control systems were unable to differentiate between legitimate business inquiries and malicious "snooping."
- **Principle of Least Privilege:** Allowing "circular" access—where any operator can query the entire database—creates a high-risk environment for insider abuse.
- **Compliance Failures:** The notification to the Authority and data subjects was found to be "incomplete and late," exacerbating legal and financial penalties.
## Recommendations
- **Implement Tiered Access:** Restrict access to sensitive or high-profile accounts (VIPs/PEPs) to a limited subset of vetted personnel.
- **User Behavior Analytics (UBA):** Deploy monitoring tools to flag anomalous search patterns, such as an employee searching for high volumes of records outside their assigned jurisdiction.
- **Justification Logging:** Require employees to provide a reason or case number when accessing sensitive customer profiles.
- **Incident Response Training:** Ensure the legal and compliance teams are prepared to meet GDPR/Garante notification timelines (usually 72 hours) to avoid secondary fines for late reporting.