Finance & Banking
,
Governance & Risk Management
,
Industry Specific
Data Regulator Likely Reviewing Insider Threat Case at Intesa Sanpaolo Bank
Intesa Sanpaolo bank of Italy this week told the country’s data regulator that an employee – who has since been fired – accessed sensitive banking details of the Italian prime minister, other top politicians and more than 3,500 customers over the past two years.
Intesa Sanpaolo, Italy’s largest bank, said it detected the breach in July 2024. An internal investigation revealed Vincenzo Coviello, a former employee at the bank’s Bisceglie branch, accessed sensitive information of the customers more than 6,000 times between February 2022 to April 2024. Among the victims are Prime Minister Giorgia Meloni and her family.
The bank said it notified the data regulator and filed a complaint as an injured party with the Public Prosecutor’s Office in the Italian town of Bari.
“Our internal control system identified the individual, after which we notified the Italian Data Protection Authority, and dismissed the disloyal employee. We confirm that there was no cybersecurity issue,” the bank said in a statement.
The bank did not disclose the type of data exposed in the breach. The Italian Data Protection Authority did not immediately respond to a request for comment. Under the General Data Protection Regulation, any company violating the privacy rule could face a fine of up to 20 million euros, or 4% of the firm’s worldwide annual revenue.
In addition to Meloni and her sister, the former Intesa employee accessed the data of other Italian high-profile leaders including former prime ministers Mario Draghi, Enrico Letta and Matteo Renzi, as well as former Italian defense minister Guido Crosetto.
As part of the investigation launched by the Bari Public Prosecutor’s Office, the Italian authorities confiscated smartphones, tablets and other devices from Coviello. He has been charged with abusive access to computer systems and attempting to damage the security of the state. Appearing before the court last week, Coviello said he did not download any information or share the data accessed.
The Italian media outlet ANSA reported that the bank first confronted Coviello on July 4 with a disciplinary letter warning him that abusive access to customer accounts could be “cause significant damage to the bank’s reputation and assets.” The bank fired Coviello on Aug. 8.