The data protection watchdog instructed the bank to inform all customers whose data has been violated within 20 days.
Intesa first suspended and then dismissed the employee who spied on the accounts.
On uncovering the breach and conducting a preliminary audit, Intesa had informed the data protection authority of the incident, while filing a complaint with prosecutors. After going through the procedure it was allowed to sack the employee.
But the authority said in a statement on Tuesday that the bank had not adequately informed it about the extent of the breach, which became apparent later due to press reports and was only confirmed subsequently by Intesa.
"Contrary to the bank's assessment... the breach of the personal data represents a high risk for the rights and the freedoms of the individuals concerned," the authority said.
It said the potential consequences of the breach had included disclosure of information on the financial status of individuals and reputational damage.