Unicredit Reveals Double Breaches Affecting 400,000 Users

Around 400,000 Italian bank accounts have been accessed in one of Europe’s largest data breaches.

According to Bloomberg, attackers accessed about 400,000 client bank accounts accessing some customer data related to personal loans, with the lender saying IBAN numbers and other personal data may also have been accessed.

UniCredit said that unauthorized access through an Italian third party provider to Italian customer data was the cause of the incident.

The breaches reportedly happened during September and October 2016, and in the last two months. According to Reuters, a source familiar with the matter said the bank had only uncovered the data breaches between Monday and Tuesday of this week.

“The bank immediately adopted all necessary measures to prevent a repeat of such intrusions," the bank said in a statement, adding that it had notified law-enforcement authorities. The bank’s IT department discovered anomalies while conducting checks, finding that some users from an external commercial partner were accessing client data.

In an email to Infosecurity, Jonathan Armstrong, partner at Cordery, said that in the case of the TalkTalk breach, the ICO fine was 80% of the maximum. As Unicredit seem to have had a turnover of ‎€859.533 billion in 2016, the maximum fine could be around €34bn – and an equivalent fine (using the TalkTalk fine as a guide) of €27bn.

He said: “Of course this is not an exact science. Regulators in a case like this will look at mitigating and aggravating circumstances in assessing the fine – it could work out to be much less when the facts have been looked at. The Italian authorities may have their own formula which they apply.

“It is also likely that any fine of this level would be appealed so it may be around 2021 before we get a measure of certainty on the levels of fine which are appropriate under GDPR. It is also important to say that fines aren’t the only game in town. There are other remedies open to a regulator and to any victims including restrictions on processing and civil actions.”

However Andre Bywater, partner at Cordery, also told Infosecurity that the Italian data protection regulator is not shy of imposing high fines, and this April imposed the highest overall fine by a data protection regulator to date totaling €11 million on a number of companies together (€10,000 for each data subject whose data consent rights were infringed, and an additional €50,000 fine due to the size of the database and its importance).

Matt Walmsley, EMEA director of Vectra, said: “As the second breach in ten months, UniCredit needs to take hard look at its security posture as well as that of its supply chain. It must make efforts to learn and adapt to new and changing threats. Automating the way that cybersecurity personnel monitor and discover hidden threats is essential to protect customer information and identities.

“Ultimately, it also protects their own commercial interests. Round-the-clock automated monitoring and detection, using AI, allows for quick and pinpointed response to a potential breach. In a post-GDPR era, fines will be phenomenal, and businesses can’t afford to cut corners.”

What’s Hot on Infosecurity Magazine?