Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Italy's UniCredit: Breach Went Undetected for Four Years

Incident Exposed Contact Information for 3 Million Italians, Bank Reports
Italy's UniCredit: Breach Went Undetected for Four Years

UniCredit, an Italian banking and financial services company, sustained a data breach exposing information on 3 million customers that went undetected for four years, the company acknowledged last week.

See Also: Why Active Directory (AD) Protection Matters

Data exposed includes customer names, city of residence, telephone numbers and email addresses, the company reports.

Back in 2017, UniCredit reported two other breaches that affected 400,000 Italian customers. A bank spokesperson told Reuters that the latest breach wasn't related to the previous breaches.

Late Discovery

In a brief statement released on Oct. 28, the bank notes: "The UniCredit cybersecurity team has identified a data incident involving a file generated in 2015 containing a defined set of approximately 3 million records limited to the Italian perimeter. Consequently no other personal data or any bank details permitting access to customer accounts or allowing for unauthorized transactions have been compromised."

The bank says it’s working with local law enforcement agencies on the investigation of the newly discovered incident.

A UniCredit spokesperson tells Information Security Media Group that the bank discovered “initial indications of the incident on Thursday, Oct. 24, and the indications were confirmed over the weekend of Oct. 26-27.” The bank then reported the incident to authorities.

The incident occurred in 2015, before the 2016 launch of the bank’s “Transform 2019” initiative, in which the bank invested €2.4 billion “in upgrading and strengthening its IT systems and cybersecurity,” the spokesperson says. For example, in June 2019, the bank implemented “a new strong identification process for access to its web and mobile services, as well as payment transactions. This new process requires a one-time password or biometric identification, further reinforcing its strong security and client protection.”

The spokesperson declined to provide further details on the latest breach, noting: “We do not comment on ongoing investigations.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.