UniCredit reveals data breach exposing 3 million customer records

The Italian bank says that a single file is to blame.
Written by Charlie Osborne, Contributing Writer

UniCredit has revealed a data breach resulting in the leak of information belonging to three million customers. 

On Monday, the Italian bank and financial services organization said that a compromised file, generated in 2015, is the source of the security incident. 

In total, roughly three million records were exposed, revealing the names, telephone numbers, email addresses, and cities where clients were registered. 

While UniCredit caters to an international client base, each record related to an Italian customer. 

See also: Open database leaked 179GB in customer, US government, and military records

UniCredit is keen to emphasize, however, that the data leak did not include any financial information or the credentials required to access client accounts. 

Therefore, those involved in the breach have lost Personally Identifiable Information (PII) which can be used in social engineering campaigns and potentially contribute to identity theft, but the chance of unauthorized transactions caused by the data leak is slim. 

The company has launched an internal investigation into how the breach took place and has informed relevant authorities, including law enforcement. Impacted customers will be informed by post or via online banking. 

CNET: Senators want to know if TikTok poses a national security risk

"Since 2016, the Group has invested an additional 2.4 billion euros in upgrading and strengthening its IT systems and cybersecurity," UniCredit says. "Customer data safety and security is UniCredit's top priority and in June 2019, the Group implemented a new strong identification process for access to its web and mobile services, as well as payment transactions."
This is not the first time UniCredit has faced a data breach incident. In July 2017, the bank said it had become a victim of data theft due to a third-party provider accessing Italian customer data without consent or authorization. 

Two separate breaches occurred; one between September and October 2016, and another between June and July 2017. Information belonging to approximately 400,000 Italian customers was impacted, including PII and IBAN numbers. 

TechRepublic: Cybersecurity Awareness Month: How individuals and businesses can stay vigilant

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards