Italy’s largest lender, UniCredit, has blamed an unnamed “third-party provider” for two security breaches where hackers have managed to steal information related to the personal loans of some 400,000 customers.
UniCredit explained in a statement that the two breaches occurred between September-October of 2016 and June-July of this year.
In the statement the bank reassured customers that no passwords allowing access to accounts, or allowing for unauthorised transactions had been exposed by the hack.
Obviously that’s a big relief to UniCredit’s many customers, but the fact that some personal data and IBAN numbers have been exposed raises the risk that criminals may use the stolen information to target individuals and attempt to commit identity theft.
To that end UniCredit explains that it will not be contacting affected customers via email or telephone – so victims would be wise to treat any such approaches with caution.
Instead, for further information, international customers are advised to contact UniCredit through a dedicated toll-free number (800 323285) or through their regular branch’s customer service team.
UniCredit says that it has informed the authorities of the incident, and has launched an investigation into what went wrong.
With the European Union’s GDPR (General Data Protection Regulation) legislation coming into force next year, companies would be wise to ensure that they are treating the security of customer information as a top priority.
Serious violations of GDBPR could result in fines of up to 20 million Euros or 4 percent of an organisation’s global revenue (whichever is larger).
Using the excuse that the breach occurred while being processed by a “third party provider” isn’t, I’m afraid, going to provide much of a defence if it is your customers’ data that was exposed by a security breach – as GDPR places obligations on you to ensure that your contracts with data processors comply with the legislation.
Read more about how organisations that handle data for customers in Europe need to be ready for GDPR on the Bitdefender Business Insights blog.