UniCredit says personal data of 3 million customers was compromised

Italian global banking and financial services giant UniCredit has announced that its cybersecurity team has identified “a data incident” that resulted in the compromise of personal data of 3 million of its customers.

What data was compromised?

UniCredit has subsidiaries in many European countries, as well as Russia, Turkey, Serbia and Bosnia and Herzegovina.

This latest data incident involves compromised personal information of some 3 million of its Italian customers. To be specific, the file contains their name, city, telephone number and email address, but not their account details, password or any other type of data that could allow attackers to access customer accounts or effect unauthorized transactions.

The file was generated in 2015. UniCredit did not say who had access to the file or how they discovered that the file fell into the wrong hands.

How did it happen?

Since they did not say that they suffered a breach, it might be that the file was being offered for sale on underground cybercrime forums. Perhaps it was stolen when, in late 2016 and mid-2017, attackers breached their systems through a third party provider?

According to Reuters, a spokesman for the bank confirmed that this latest incident was not in any way related to the previous episodes.

Whatever the case may be, the company has notified the relevant authorities and the police and has started an internal investigation, so hopefully customers and the public will eventually know what happened.

Customers should be careful

In the meantime, UniCredit is contacting all potentially affected persons to share the news and advise them on how to avoid phishing attempts that can be mounted by using the compromised data (usually spoofed, targeted emails or phone calls purportedly coming from the bank’s employees).

They are doing so by post and/or through online banking notifications – two communication channels that attackers can’t compromise or spoof easily or cheaply.