UniCredit breach: Data of 400,000 customers exposed

Italian global banking and financial services company UniCredit has revealed that it has suffered two security breaches in less than a year.

UniCredit breach

“A first breach seems to have occurred in September and October 2016 and a second breach which has just been identified in June and July 2017. Data of approximately 400,000 customers in Italy is assumed to have been impacted during these two periods,” the company noted.

This data possibly includes personal data and IBAN numbers, but not passwords that can be used to access customer accounts or perform unauthorised transactions.

Apparently, the attackers found their way into the company’s systems through an Italian third party provider. The compromised data belongs to Italian customers that took out personal loans.

The breach was discovered by the bank’s IT department, who detected anomalies in the way some users from this external commercial partner were accessing client data.

They have immediately booted out the intruders and closed the breach, and launched an internal audit. UniCredit has also made sure to note in the press release that they are investing 2.3 billion euro (around $2.7 billion) in upgrading and strengthening its IT systems.

Relevant authorities have been notified about the incident, and the company has filed a claim with the Milan Prosecutor’s office.

Affected users will be contacted and notified “through specific channels, not including email or phone calls.” I guess that means actual letters, or face-to-face communication when they go to the bank, or possibly even through a notice when they access their online banking account.

Those UniCredit users who would like to know immediately if they have been affected can contact the bank through its dedicated toll-free number or their regular branch customer services team.