UniCredit, an Italian bank and financial services provider, has announced that it suffered a data security incident that led to the loss of three million personal data records including names, telephone numbers, and email addresses of its Italian customers.
The incident took place when unauthorised entities gained access to a single file generated in 2015 by the bank which contained “a defined set of approximately 3 million records limited to the Italian perimeter”.
UniCredit said that personal data records stored in the said file included names, city, telephone number and email addresses of its customers. However, it reassured customers by stating that the stolen data records can not be used by cyber criminals to access customer accounts or to carry out unauthorised transactions.
“Customer data safety and security is UniCredit’s top priority and since the 2016 launch of Transform 2019, the Group has invested an additional 2.4 billion euro in upgrading and strengthening its IT systems and cyber security,” UniCredit said in a press release.
“In June 2019, the Group implemented a new strong identification process for access to its web and mobile services, as well as payment transactions. This new process requires a onetime password or biometric identification further reinforcing its strong security and client protection,” it added.
Hackers may have sold UniCredit data on the Dark Web
According to Italian press reports, the data security incident involved hackers breaching a database owned and operated by UniCredit and transferring the contents of the stolen file to the Dark Web.
“Even if no data have been acquired for access to accounts or for unauthorised transactions, this is a worrying fact on which we hope the postal police can shed full light. Consumers must now pay close attention and take special precautions, following special precautions in the coming months. For example, there may be an increase in computer scams, the so-called phishing,” said Massimiliano Dona, president of the National Union of Consumers to Corriere Comunicazioni.
“Hackers could send Unicredit customers personalised e-mails with the bank’s counterfeit logo, inviting them to access the site for security reasons, using their attack as a pretext. Not for nothing Unicredit herself has taken care to inform that she will contact customers only by traditional mail and has made available a dedicated toll-free number,” he added.
Commenting on the data breach incident involving UniCredit, Jonathan Knudsen, senior security strategist at Synopsys, said that the ongoing parade of disclosures about unprotected databases should raise a big red flag.
“How do we ensure this never happens again? Education is the first step. Anyone who understands the danger of exposing data on the internet will make better choices, like requiring authentication and encrypting data at rest. Policy is the second step. Enforcing a policy that any public-facing server configuration must be reviewed and approved would help minimise the risk of these types of incidents,” he added.