UniCredit reveals data breach exposing 3 million customer records

The Italian bank says that a single file is to blame.

The true cost of a data breach in 2019 Wendi Whitmore, IBM X-Force global lead for incident response and intelligence services, talks to Tonya Hall about how the cost of data breaches is determined by the time it takes to detect and respond to the breach.

UniCredit has revealed a data breach resulting in the leak of information belonging to three million customers. 

On Monday, the Italian bank and financial services organization said that a compromised file, generated in 2015, is the source of the security incident. 

In total, roughly three million records were exposed, revealing the names, telephone numbers, email addresses, and cities where clients were registered. 

While UniCredit caters to an international client base, each record related to an Italian customer. 

See also: Open database leaked 179GB in customer, US government, and military records

UniCredit is keen to emphasize, however, that the data leak did not include any financial information or the credentials required to access client accounts. 

Therefore, those involved in the breach have lost Personally Identifiable Information (PII) which can be used in social engineering campaigns and potentially contribute to identity theft, but the chance of unauthorized transactions caused by the data leak is slim. 

The company has launched an internal investigation into how the breach took place and has informed relevant authorities, including law enforcement. Impacted customers will be informed by post or via online banking. 

CNET: Senators want to know if TikTok poses a national security risk

"Since 2016, the Group has invested an additional 2.4 billion euros in upgrading and strengthening its IT systems and cybersecurity," UniCredit says. "Customer data safety and security is UniCredit's top priority and in June 2019, the Group implemented a new strong identification process for access to its web and mobile services, as well as payment transactions."
 
This is not the first time UniCredit has faced a data breach incident. In July 2017, the bank said it had become a victim of data theft due to a third-party provider accessing Italian customer data without consent or authorization. 

Two separate breaches occurred; one between September and October 2016, and another between June and July 2017. Information belonging to approximately 400,000 Italian customers was impacted, including PII and IBAN numbers. 

TechRepublic: Cybersecurity Awareness Month: How individuals and businesses can stay vigilant

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0