UniCredit leaks 3 million customer records in data breach

Italian banking giant UniCredit has suffered a “data incident” that exposed 3 million customer records, including full names, phone numbers and email addresses.

issued an urgent security notice yesterday announcing that a file containing
personally identifiable information (PII) of millions of customers had been
leaked. The file had been created in 2015, according to the announcement.

“The UniCredit cyber security team has identified a data incident involving a file generated in 2015 containing a defined set of approximately 3 million records limited to the Italian perimeter. The records consist of names, city, telephone number and email only. Consequently, no other personal data or any bank details permitting access to customer accounts or allowing for unauthorized transactions have been compromised,” reads the notice.

The leaked
data may not allow a bad actor to conduct unauthorized transactions, but it can
be used to conduct phishing scams, identity theft, and even synthetic identity
fraud – where a cybercrook combines real and fake information to create an
entirely new (but fake) identity.

UniCredit is
now investigating the incident internally and has informed the relevant
authorities. The announcement ends with UniCredit saying it takes cybersecurity
very seriously – so much so that “the Group has invested an additional 2.4
billion euro in upgrading and strengthening its IT systems and cyber security.”

The bank has
also implemented a strong identification process for payment transactions and
other privilege-based actions that requires a one-time-password or biometric

The incident
marks UniCredit’s fourth data breach in as many years, after two breaches in
2016 and another in 2017.

UniCredit was
also the first company fined under the GDPR in Romania, after exposing Romanian
customers’ personal identification numbers through a misconfigured online
portal. This week’s incident is similar, meaning UniCredit is likely to incur
another penalty under the legislation that protects EU residents’ personally
identifiable data. The fine is typically calculated based on the severity of
the leak. The incident in Romania was fairly minor, yet serious enough to make
UniCredit cough up 130,000 euros. Considering the scope of this week’s incident
in Italy, a new penalty would likely be higher.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top