The Italian Data Protection Authority fine against Poste Italiane and Postepay has reached over €12.5 million, after regulators found unlawful processing of personal data affecting millions of users.

Italy’s Italian Data Protection Authority imposed a €6.6 million penalty on Poste Italiane and €5.8 million on Postepay. The action follows an investigation launched in April 2024 after multiple complaints from users regarding how their data was being handled through mobile applications.

Italian Data Protection Authority Fine Linked to Intrusive App Monitoring

The Italian Data Protection Authority fine centers on how BancoPosta and Postepay apps collected user data. Customers were required to allow monitoring of information stored on their devices, including details about installed and active applications.

According to the companies, this access was necessary to detect malware and prevent fraud in line with payment security requirements. However, the regulator found that the scope of monitoring went too far.

Authorities stated that the data collection methods were not proportionate and resulted in excessive intrusion into users’ private lives. The ruling emphasized that fraud prevention cannot justify blanket access to personal device data.

Multiple Compliance Failures Identified

The investigation behind the Italian Data Protection Authority fine also revealed broader compliance failures. Regulators flagged insufficient transparency in how users were informed about data collection practices.

The companies were also found to have not conducted an adequate Data Protection Impact Assessment. Such assessments are required when processing activities pose high risks to individual privacy.

Further issues included weak security measures, unclear policies on how long data was stored, and irregularities in defining data controller responsibilities. These gaps raised concerns about how user data was governed internally.

As part of the enforcement action, both companies have been ordered to stop the disputed data processing practices if still ongoing. They must also align their data retention policies with regulatory requirements and report compliance to the Authority.

Italian Regulator Steps Up Enforcement

The action reinforces a broader trend of stricter enforcement by the Italian Data Protection Authority across the financial sector. The Italian Data Protection Authority fines Poste Italiane and Postepay case follows another high-profile enforcement action earlier this year involving Intesa Sanpaolo. In March 2026, the regulator imposed a €31.8 million penalty on the bank after uncovering serious lapses in how customer data was protected. The case involved unauthorized access to sensitive information of more than 3,500 customers over a period of more than two years. Investigators found that a single employee had accessed customer records more than 6,600 times without any legitimate business reason. The breach went undetected for months, exposing weaknesses in the bank’s internal monitoring systems.

Insider Risks and Monitoring Gaps under Focus

The Intesa Sanpaolo case highlighted a different but equally critical issue. While Poste Italiane and Postepay were penalized for excessive data collection, the bank was fined for failing to detect misuse of legitimate access. According to the Authority, the bank’s monitoring systems were not designed to identify slow, repeated misuse of access over time. This allowed the unauthorized activity to continue without triggering alerts, even when it involved high-risk individuals such as public figures. Regulators concluded that the controls in place were not aligned with the risks associated with broad internal access to sensitive financial data. The case has since raised concerns about insider threats and the effectiveness of existing detection mechanisms within financial institutions.

Growing Pressure on Financial Services

Together, these cases reflect a tightening regulatory environment in Italy, where financial institutions are being held accountable for both overreach and underperformance in data protection. The Italian Data Protection Authority fines Poste Italiane and Postepay decision highlights the importance of balancing fraud prevention measures with user privacy. Security controls must be proportionate, transparent, and supported by proper risk assessments. At the same time, the Intesa Sanpaolo breach demonstrates that insufficient monitoring can be just as damaging, particularly when insider threats go unnoticed for extended periods. With enforcement actions increasing in scale and frequency, organizations operating in the financial sector are facing mounting pressure to reassess their data governance frameworks. The regulator’s recent decisions make it clear that both excessive data collection and weak oversight can lead to significant financial and reputational consequences.

The Intesa Sanpaolo data breach was not just the result of unauthorized access, it was a failure of detection that lasted for more than two years. In an exclusive response to The Cyber Express, Italy’s data protection authority has now clarified that the bank’s monitoring systems were not equipped to identify repeated, low-volume misuse of access over time. The Intesa Sanpaolo data breach, which has already led to a €31.8 million fine, involved a single employee accessing the data of over 3,500 customers without any valid business reason. While earlier findings established the scale of the incident, the latest response explains why it continued undetected for so long.

Intesa Sanpaolo Data Breach: Monitoring Failed to Catch Slow, Repeated Access

At the center of the Intesa Sanpaolo data breach is a critical gap in how internal activity was monitored. In response to queries from The Cyber Express, Secretary General of the Italian Data Protection Authority, Luigi Montuori, said:

“The Authority found that the employee carried out unauthorized access over a period of more than two years without the bank’s alert systems detecting any anomaly. According to the decision, the controls adopted by the bank proved inadequate in light of the specific risks connected with its operating model, which allowed broad internal access to customer data.”

He further added:

“In particular, the Authority considered that the thresholds and monitoring mechanisms in place were not sufficient to promptly detect repeated but time-distributed improper access, including access involving politically exposed or otherwise high-profile individuals.”

This clarification is significant. It shows that the Intesa Sanpaolo data breach was not missed because of a lack of controls, but because those controls were not designed to detect how insider threats actually behave. Rather than triggering alerts through large or unusual spikes, the access remained under the radar by being spread out over time. This exposes a common blind spot in enterprise monitoring, systems often focus on volume, not patterns.

No Confirmed Misuse, But Regulator Flags High Risk

Another key question in the Intesa Sanpaolo data breach has been whether the accessed data was misused beyond internal viewing. Montuori clarified in his response:

“The decision does not state that there is confirmed evidence of data exfiltration or further misuse of the data outside the unauthorized access itself. However, the Authority found that the unlawful access, its scale, its duration, and the categories of persons affected were sufficient to create a high risk for the rights and freedoms of the individuals concerned. Beyond the conclusions set out in our decision, the case is also under investigation by the judicial authority in criminal proceedings.”

Even without confirmed data exfiltration, the Intesa Sanpaolo data breach was treated as a serious violation. The regulator’s position is clear: prolonged unauthorized access, especially involving sensitive and high-profile individuals, creates inherent risk. This reflects a broader shift in enforcement, where exposure itself, not just proven misuse, is enough to trigger regulatory action.

Post-Breach Fixes Highlight Earlier Gaps

Following the Intesa Sanpaolo data breach, the bank introduced several measures to strengthen its controls. The authority noted:

“The decision notes that, after the incident, the bank adopted a number of measures to strengthen its safeguards, including:

• stronger protections for certain particularly sensitive or high-profile customers;
•  enhanced ex ante authorization mechanisms and ex post controls on access;
• strengthened alerting and monitoring systems for anomalous access;
• a dedicated task force for analysis and decision support;
• the introduction of additional data masking measures;
• broader governance improvements in the management of personal data breaches.

As stated in the decision, the Authority also took these remedial measures into account in its overall assessment.”

While these steps address key weaknesses, they also underline a larger issue. In the Intesa Sanpaolo data breach, the most critical safeguards, effective monitoring, stricter access control, and risk-based oversight, were strengthened only after the breach had already persisted for years.

A Broader Warning on Insider Risk

The Intesa Sanpaolo data breach offers a clear lesson for the banking sector and beyond. Internal access remains one of the most difficult risks to control. Systems are often designed to enable efficiency, giving employees broad visibility across customer data. But without monitoring that reflects real user behavior, that access can be misused without detection. What stands out in this case is that even access involving politically exposed and high-profile individuals did not trigger alerts. That points to a deeper issue—not just in tools, but in how risk is defined and monitored. As Montuori concluded:

“At this stage, we have no further comment beyond the contents of the adopted measure”.

The case may be closed from a regulatory standpoint, but its implications are not. The Intesa Sanpaolo data breach shows that insider threats do not always appear as obvious anomalies, they often build quietly over time. Without systems designed to catch that, similar incidents are likely to happen again.

The Intesa Sanpaolo data breach has resulted in a €31.8 million fine from Italy’s data protection authority, after an investigation found serious lapses in how the bank protected customer data. The case centers on unauthorized access to the banking information of more than 3,500 customers over a period of more than two years, raising fresh concerns around internal threats in the financial sector. The Intesa Sanpaolo data breach, first reported by the bank in July 2024, turned out to be far more extensive than initially disclosed. Regulators found that a single employee had accessed sensitive banking data of 3,573 customers without any professional justification, making over 6,600 queries between February 2022 and April 2024.

Internal Access, No Early Detection

What stands out in the Intesa Sanpaolo data breach is not just the unauthorized access, but how long it went unnoticed. According to the Italian Data Protection Authority, the bank’s internal monitoring systems failed to detect repeated anomalous access. The activity continued for months, exposing a clear gap in how employee actions were being tracked. The access also involved individuals considered high-risk, including public figures and politically exposed persons. These profiles typically require stricter oversight, but the investigation found that enhanced controls were either not applied or were ineffective.

Regulator Flags GDPR Violations

The authority concluded that the Intesa Sanpaolo data breach violated key provisions of the GDPR, particularly around data integrity, confidentiality, and accountability. At the core of the issue was the bank’s access model. Employees were able to query customer data across the system without sufficient restrictions. While such systems are often designed for operational flexibility, regulators noted that they must be backed by strong controls—which were lacking in this case. The findings pointed to broader weaknesses in both technical safeguards and organizational oversight.

Delays in Intesa Sanpaolo Data Breach Notification

The bank’s response to the incident has also come under scrutiny. Authorities found that the breach notification was incomplete and delayed, falling short of legal requirements. Customer communication was another weak point. Many affected individuals were informed only after the regulator intervened in November 2024, months after the issue had come to light. This delay limited the ability of customers to take timely action, a factor that weighed into the final penalty.

Scale of Exposure Raises Concerns

The Intesa Sanpaolo data breach was not limited to a small set of accounts. The investigation showed that the employee accessed data linked to politicians, public figures, bank staff, and thousands of ordinary customers. The information viewed included personal identification details as well as financial data such as account activity and payment card information. While the bank stated there was no evidence of data being extracted or misused, regulators emphasized that unauthorized access alone constitutes a serious breach under GDPR.

Bank Responds, Tightens Controls

Intesa Sanpaolo has since taken corrective steps following the data breach. The bank said it dismissed the employee involved and has introduced stricter controls on data access. New measures include requiring justification for accessing customer data outside assigned portfolios, enhanced alert systems to detect unusual activity, and additional layers of authorization. The bank also argued during proceedings that not all breaches can be prevented and that its systems did eventually detect anomalies. However, regulators maintained that the delay and scale of the breach pointed to deeper issues.

A Broader Signal to the Banking Sector

The Intesa Sanpaolo data breach highlights a persistent challenge for financial institutions: insider risk. Even with existing safeguards, employees with system access can misuse data if controls are not tight enough or actively monitored. The case shows that compliance is not just about having systems in place, but ensuring they work in practice. For the wider banking sector, the message is clear. Monitoring cannot be passive, and access cannot be overly broad. Without that balance, even established institutions risk facing similar regulatory action.

The Ministry of Finance cyberattack in the Netherlands has once again highlighted a growing concern: even critical government systems are struggling to stay ahead of increasingly advanced threats. While officials have moved quickly to contain the Ministry of Finance data breach, the incident highlights deeper structural challenges in public-sector cybersecurity. According to an official release, “The Ministry of Finance's ICT security detected unauthorized access to systems for a number of primary processes within the policy department on Thursday, March 19.” What makes this Ministry of Finance cyberattack particularly concerning is not just the breach itself, but the fact that it affected systems tied to “primary processes”—a term that signals operational significance rather than peripheral infrastructure.

Ministry of Finance Cyberattack: What Happened

The Ministry of Finance cyberattack came to light after a third party flagged suspicious activity, prompting an internal investigation. Security teams confirmed unauthorized access to several internal systems within a policy department. In response, authorities acted swiftly, blocking access and taking compromised systems offline. While this rapid containment is commendable, it also raises a critical question: why was external notification required in the first place? In mature cybersecurity environments, internal detection mechanisms are expected to identify anomalies before third parties do. The ministry clarified that services provided to citizens and businesses—particularly those linked to taxation, customs, and benefits—remain unaffected. However, the disruption to internal operations has impacted some employees, though the scale remains undisclosed. At this stage, officials have not confirmed whether sensitive data was accessed or exfiltrated. No threat actor has claimed responsibility, and investigators are still working to determine the entry point and intent behind the intrusion.

A Pattern of Cyber Incidents in the Netherlands

The Ministry of Finance cyberattack does not exist in isolation. It is part of a broader pattern of cybersecurity incidents affecting Dutch government institutions in recent months. A notable case involved the Dutch Custodial Institutions Agency (DJI), where a data breach exposed employee information, including email addresses, phone numbers, and security certificates. Reports suggest attackers may have maintained access to DJI’s internal systems for up to five months—a duration that points to gaps in detection and response capabilities. The breach was linked to a vulnerability in Ivanti Endpoint Manager Mobile, a widely used platform for managing enterprise devices. The same flaw also impacted other institutions, including the Dutch Data Protection Authority and the judiciary. In that case, attackers reportedly had the ability not only to access data but also to remotely control or wipe devices, an escalation that moves beyond data theft into operational disruption.

Why the Ministry of Finance Cyberattack Matters

The significance of the Ministry of Finance cyberattack goes beyond immediate disruption. It highlights three critical issues:

• Detection Gaps: The reliance on third-party alerts suggests that internal monitoring systems may not be fully optimized.
• Attack Surface Complexity: Government systems, often layered and legacy-heavy, present attractive targets with multiple entry points.
• Persistent Threat Actors: The DJI case shows attackers are willing—and able—to maintain long-term access without detection.

These factors combined indicate that cybersecurity is no longer just a technical issue but a governance challenge.

Government Response and the Road Ahead

Authorities have stated, “We will update this message when we can share more information.” While this cautious communication is understandable, transparency will be key in maintaining public trust—especially if sensitive data exposure is later confirmed. State Secretary Claudia van Bruggen acknowledged the seriousness of recent incidents, emphasizing the government’s responsibility to protect its workforce. At the same time, officials have reassured that there is no immediate danger to affected personnel. Still, reassurance alone is not enough. The Ministry of Finance cyberattack should serve as a catalyst for systemic improvements, ranging from stronger endpoint security to real-time threat detection and zero-trust architecture adoption.