UniCredit Suffers Third Breach Despite Investing Billions in Cybersecurity

unicredit data breach

UniCredit was also hit with hacking incidents in September-October 2016 and June-July 2017.

Despite investing 2.4 billion euros since 2016 to upgrade its cybersecurity profile, Italian banking institution UniCredit has suffered its third recent data breach, this time impacting 3 million customers.

The company said in a short data breach announcement on its website that names, telephone numbers, email addresses and cities where clients were registered were exposed via unauthorized access to a file generated in 2015. Bank account details were not included. UniCredit told Reuters that it wouldn’t release information on how the access occurred, but it did say that has launched an internal investigation and has informed all the relevant authorities, including the police.

UniCredit was also hit with hacking incidents in September-October 2016 and June-July 2017, affecting 400,000 Italian customers. Those hacks were carried out via the network of a commercial partner, the bank said at the time.

“The incident at UniCredit shows that spending money alone isn’t enough to safeguard an organization from data breaches,” Jelle Wieringa, technical evangelist at KnowBe4, said via email. “After the breach in 2016, the bank invested an additional Euro 2.4 billion in its security. That is an awful lot of money to spend only to find out it wasn’t enough to stop the bad guys from getting in and stealing information.”

Its cybersecurity investment, which it calls “Transform 2019,” included the June 2019 implementation of a strong identification process featuring two-factor authentication (via a onetime password or biometric identification) for access to its web and mobile services, as well as for payment transactions.

“There isn’t very much known about the way the UniCredit breach took place. But there is still a lesson which can be learned from this. Even at this early stage,” Wieringa said. “In this instance, a file from 2015 was stolen. Under GDPR, it counts as a data breach, since it’s likely that most of the data is still valid. People tend to forget the value of data over time, especially if they are confronted with large amounts of it every day, and information fatigue is a real thing.”

ZeroFOX’ recent Financial Services Digital Threat Report showed a 56 percent annual increase in digital threat activity targeting the financial services sector this year. System and information exploitation specifically grew 26 percent within the past year.

“Attackers are increasingly adept at compromising systems, and social media has increasingly become the conduit,” according to the report. “They also blatantly market their heists both publicly and privately, across all digital channels. Malicious domains top the list of attack techniques at 57 percent share, with another 18 percent coming from information disclosures found on paste sites, most of which are accessible to the public.”

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free¬†Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.”¬†Click here to register.

Suggested articles