Italian banking giant UniCredit has suffered a “data incident” that exposed 3 million customer records, including full names, phone numbers and email addresses.
UniCredit issued an urgent security notice yesterday announcing that a file containing personally identifiable information (PII) of millions of customers had been leaked. The file had been created in 2015, according to the announcement.
“The UniCredit cyber security team has identified a data incident involving a file generated in 2015 containing a defined set of approximately 3 million records limited to the Italian perimeter. The records consist of names, city, telephone number and email only. Consequently, no other personal data or any bank details permitting access to customer accounts or allowing for unauthorized transactions have been compromised,” reads the notice.
The leaked data may not allow a bad actor to conduct unauthorized transactions, but it can be used to conduct phishing scams, identity theft, and even synthetic identity fraud – where a cybercrook combines real and fake information to create an entirely new (but fake) identity.
UniCredit is now investigating the incident internally and has informed the relevant authorities. The announcement ends with UniCredit saying it takes cybersecurity very seriously – so much so that “the Group has invested an additional 2.4 billion euro in upgrading and strengthening its IT systems and cyber security.”
The bank has also implemented a strong identification process for payment transactions and other privilege-based actions that requires a one-time-password or biometric identification.
The incident marks UniCredit’s fourth data breach in as many years, after two breaches in 2016 and another in 2017.
UniCredit was also the first company fined under the GDPR in Romania, after exposing Romanian customers’ personal identification numbers through a misconfigured online portal. This week’s incident is similar, meaning UniCredit is likely to incur another penalty under the legislation that protects EU residents’ personally identifiable data. The fine is typically calculated based on the severity of the leak. The incident in Romania was fairly minor, yet serious enough to make UniCredit cough up 130,000 euros. Considering the scope of this week’s incident in Italy, a new penalty would likely be higher.