UniCredit data breach hits 400,000 customers


UniCredit, Italy’s largest bank, has announced it has been the victim of a data security breach due to unauthorised access, through an Italian third-party provider, to Italian customer data.

The breach relates to personal loans only, but acts as a warning to all finance providers of the ongoing risks they face relating to data security. A first breach seems to have occurred in September and October 2016 and a second breach which has just been identified in June and July 2017.

The business said data of approximately 400,000 customers in Italy is assumed to have been impacted during these two periods.

No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected, whilst some other personal data and IBAN numbers might have been accessed.

UniCredit has launched an audit and has informed all the relevant authorities. It will also file a claim with the Milan Prosecutor’s office.

The bank has also taken immediate remedial action to close the breach.

The company said customer data safety and security is UniCredit’s top priority and, as part of Transform 2019, UniCredit is investing €2.3 billion in upgrading and strengthening its IT systems.

It has launched a toll-free helpline and will be contacting affected customers through specific channels, not including email or phone calls.

The breach comes as amid warnings to finance companies that the industry will not be compliant by next year’s deadline for the EU General Data Protection Regulation (GDPR) because of the complexities involved in adapting to new standards.

The GDPR, which comes into force in May 2018, strengthens data protection regulations for all individuals within the EU and aims to give control of personal data back to consumers.

The new rules identify personal data as any information relating to an individual, whether it relates to private, professional or public life.

It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

Difficult elements include the ability of consumers to challenge automated individual decision-making, including profiling and algorithm-based assessments.

Ashley Winton, a partner at Paul Hastings (Europe), said that the complexity and scale of the new rules meant it was unlikely companies could be fully compliant in time.

A significant area where companies may struggle is when it comes to cyber-security, as the language used in the new regulation is much broader.

Winton said: “The data definition is much broader than you might think and the language used is about denial of service attacks and breaches of security. So, if something is not working [after a denial of service attack], that is a breach of cyber security.”

While regulators can raise fines of 4% of a company’s worldwide turnover, the real risk will come from smaller claims taken on a ‘no win no fee basis’.

Winton added: “There is no longer a requirement for monetary loss before you can bring a claim. If you suffer distress you can bring a claim.”