UniCredit Data Breach Hits 400,000 Customers

Italian banking and financial services giant Unicredit has admitted that hackers have gained access to the details of 400,000 customers.

The massive data breach took place in two different attacks in the past ten months, and is thought to be the one of the biggest data breaches in Europe to date.

The 400,000 customer data records affected are related to people who took out personal loans in Italy.

Bank Admission

The bank’s admission came in a terse statement, in which it offered scant details of the attacks and no apology for the actual data breach.

“UniCredit today announced it has been the victim of a security breach in Italy due to unauthorised access through an Italian third party provider to Italian customer data related to personal loans only,” it said.

The first breach took place between September and October 2016 and the second breach took place in June and July 2017.

Unicredit did not identify the name of the ‘Italian third party provider’, nor did it reveal how the attackers had accessed the data.

It also failed to state when it first beware aware of the data breaches, but Reuters quoted a source familiar with the matter as saying the bank had only uncovered the data breaches between Monday and Tuesday this week.

“Data of approximately 400,000 customers in Italy is assumed to have been impacted during these two periods,” said the bank. “No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected, whilst some other personal data and IBAN numbers might have been accessed.”

It said that it had “launched an audit and has informed all the relevant authorities.” It has also taking action “to close this breach”. 

Concerned customers are offered a free phone to contact, or should contact their regular branch customer services team. Unicredit also said that it would be contacting the affected customers through specific channels.

“Customer data safety and security is UniCredit’s top priority and as part of Transform 2019, UniCredit is investing 2.3 billion euro in upgrading and strengthening its IT systems,” it concluded. That IT investment however will come as little comfort to those customers affected by the breach.

Unidentified Attackers

Meanwhile, Daniele Tonella, the head of UniCredit’s information technology unit, told Reuters that none of the data accessed by the attackers allowed any financial transaction to be carried out.

“We don’t know why this data was acquired,” he told Reuters. He also revealed the bank did not know who was behind the attacks.

“This news is an alarming reminder that anybody’s online information can be accessed if not protected sufficiently – and yet another indication that consumers are not the only target of cybercriminals,” said David Emm, principal researcher at Kaspersky Lab.

“Online providers, including banks, are themselves at increasing risk of attack, so it’s imperative that they regularly review all of their security procedures, examining possible vulnerabilities,” Emm added. “This process should review physical security right through to the outlying areas of the organisation’s infrastructure.”

Best Advice

He advised all Unicredit customers keep a close eye on their online bank accounts and report anything suspicious.

Kaspersky Lab also recommended that all internet connected devices are secured with security software, and that all OS updates are applied in a timely manner.

The firm also recommended that customers only use encrypted websites; that a unique and strong password is used for every website; and never to click on email hyperlinks. Also, people are advised to avoid using untrusted public Wi-Fi hotspots for confidential online transactions, and to check their online accounts regularly.

The data breach comes as banks in the European Union that are directly regulated by the European Central Bank (ECB), are set to be included in the incoming Global Data Protection Regulations (GDPR).

One of the biggest new rules of the GDPR is the new breach notification requirements, where all organisations must report any form of data breach to authorities within 72 hours.

Banks are a known target. Earlier this years a known security flaw in the Signaling System 7 (SS7) protocol was used by cyber criminals to crack into European bank accounts.

Last November Tesco Bank halted online transactions for a time after fraud was discovered on customer accounts. Up to 40,000 personal accounts of Tesco bank holders were affected.

Quiz: Are you a security pro?