Italy's UniCredit: Breach Went Undetected for Four YearsIncident Exposed Contact Information for 3 Million Italians, Bank Reports
UniCredit, an Italian banking and financial services company, sustained a data breach exposing information on 3 million customers that went undetected for four years, the company acknowledged last week.
Data exposed includes customer names, city of residence, telephone numbers and email addresses, the company reports.
In a brief statement released on Oct. 28, the bank notes: "The UniCredit cybersecurity team has identified a data incident involving a file generated in 2015 containing a defined set of approximately 3 million records limited to the Italian perimeter. Consequently no other personal data or any bank details permitting access to customer accounts or allowing for unauthorized transactions have been compromised."
The bank says it's working with local law enforcement agencies on the investigation of the newly discovered incident.
A UniCredit spokesperson tells Information Security Media Group that the bank discovered "initial indications of the incident on Thursday, Oct. 24, and the indications were confirmed over the weekend of Oct. 26-27." The bank then reported the incident to authorities.
The incident occurred in 2015, before the 2016 launch of the bank's "Transform 2019" initiative, in which the bank invested €2.4 billion "in upgrading and strengthening its IT systems and cybersecurity," the spokesperson says. For example, in June 2019, the bank implemented "a new strong identification process for access to its web and mobile services, as well as payment transactions. This new process requires a one-time password or biometric identification, further reinforcing its strong security and client protection."
The spokesperson declined to provide further details on the latest breach, noting: "We do not comment on ongoing investigations.