Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
Italy's UniCredit: Breach Went Undetected for Four Years
Incident Exposed Contact Information for 3 Million Italians, Bank ReportsUniCredit, an Italian banking and financial services company, sustained a data breach exposing information on 3 million customers that went undetected for four years, the company acknowledged last week.
See Also: Your Complete Guide to Healthcare Managed Defense
Data exposed includes customer names, city of residence, telephone numbers and email addresses, the company reports.
Back in 2017, UniCredit reported two other breaches that affected 400,000 Italian customers. A bank spokesperson told Reuters that the latest breach wasn't related to the previous breaches.
Late Discovery
In a brief statement released on Oct. 28, the bank notes: "The UniCredit cybersecurity team has identified a data incident involving a file generated in 2015 containing a defined set of approximately 3 million records limited to the Italian perimeter. Consequently no other personal data or any bank details permitting access to customer accounts or allowing for unauthorized transactions have been compromised."
The bank says it’s working with local law enforcement agencies on the investigation of the newly discovered incident.
A UniCredit spokesperson tells Information Security Media Group that the bank discovered “initial indications of the incident on Thursday, Oct. 24, and the indications were confirmed over the weekend of Oct. 26-27.” The bank then reported the incident to authorities.
The incident occurred in 2015, before the 2016 launch of the bank’s “Transform 2019” initiative, in which the bank invested €2.4 billion “in upgrading and strengthening its IT systems and cybersecurity,” the spokesperson says. For example, in June 2019, the bank implemented “a new strong identification process for access to its web and mobile services, as well as payment transactions. This new process requires a one-time password or biometric identification, further reinforcing its strong security and client protection.”
The spokesperson declined to provide further details on the latest breach, noting: “We do not comment on ongoing investigations.