It has been reported today that UniCredit SpA have announced that hackers accessed about 400,000 client bank accounts in Italy, taking biographical and loan data in one of the biggest breaches in Europe to date.
In an email statement sent out today, the bank said the data breaches occurred in September and October of 2016 and June to July of this year. “UniCredit has launched an audit and has informed all the relevant authorities,” it said in a statement.
This attack represents the biggest cyber security incident reported by an Italian bank. Matt Walmsley, EMEA director, Vectra suggests that this “hack is a stark reminder that businesses need to take extra care with who can access sensitive customer data, especially when they outsource elements of their value chain.”
In these two separate security incidents, unauthorised access was gained via an Italian third party provider, which gave access to customer data related to personal loans. The lender saying IBAN numbers and other personal data may also have been accessed.
The bank did add, however, that account passwords had not been compromised, so there were no incidents of unauthorised transactions.
>See also: Lloyds Bank suffered 2-day-long DDoS attack
Giving some insight into this news is Andrew Clarke – EMEA Director at One Identity said: “Through its project “Transform 2019”, Unicredit bank was supposed to invest more than 2.3 billion (euro) to update and reinforce the IT systems. The bank was aware of issues since 2016 and is targeting 2019 before addressing. This demonstrates once again a strategy of reaction vs a proactive action does not pay off. This repeated attack demonstrates that a lack of attention by the business in supporting the Information Systems has had high impact across the whole company.“
“We rely on our service providers to protect our personal information – that is the trust we place in them. When a bank reveals that data has been stolen, even if money has not been stolen, that trust is undermined. In this case, it is believed that name, address and ID card number have been stolen – significant personal identifiable information (PII) that comprises personal integrity.
“It is the responsibility of the bank to take necessary measures to implement the best available security, such as data governance and for third party access, protection of privileged accounts to safeguard access to systems; and the ability to provide auditable information that, in the event of an incident, can be used to comprehend the impact and correct it. Under GDPR the demonstration of all of these important data governance elements will become even more important.”
Next year, the impending EU GDPR regulation could mean that banks and other organisations could be fined up to 4% of their annual turnover if they suffer a data breach and do not report it within 72 hours of the discovery.