A database containing what appears to be the data of thousands of UniCredit S.p.A employees is being advertised for sale on cybercrime forums.
The Italian global banking and financial services company has more than 8,500 branches in 17 countries and employs over 97,775 people. Data allegedly belonging to around 3,000 of those employees went on sale on the dark web on April 19.
Advertising the data for sale is a hacker located in Romania who claims to have compromised UniCredit's systems and exfiltrated the data. Information allegedly stolen by the hacker includes names, email addresses, phone numbers, and encrypted passwords.
Buyers can purchase the data for sale in units of rows. The cost of 150,000 rows of data is $10,000.
Telsey, a unit of Telecom Italia S.p.A, believes the hacker's claims of stealing data from UniCredit are genuine. The company said that the database was found available on at least two cybercrime- and hacking-related forums.
In a statement published on its website on April 20, Telsey wrote: “By the first technical details retrieved, the database appears to be genuine and the potential result of a SQL Injection attack. Alternatively, it could be the result of extensive compromise of the victim network with the dump of the database directly from one of the internal servers."
If Telsey's SQL attack theory is correct, then the hacker used a malicious code-insertion technique to access UniCredit's data. According to Telsey, the information being offered for sale appears to be UniCredit data dating from 2018–2019.
UniCredit said that it was investigating the matter, hinting that any possible data breach may have occurred via a third party.
“UniCredit became aware that its name has been mentioned in relation to an alleged case of data breach in Romania related to an HR recruiting platform provided and managed by a third party,” UniCredit told Bloomberg News.
“There is no evidence of any UniCredit systems' having been accessed.”
The alleged hack comes just six months after the Italian financial giant confirmed that the records of three million of its customers had been exposed in a catastrophic data breach. Information exposed in the breach included names, phone numbers, and email addresses of UniCredit customers.