[BreachExchange] UniCredit reveals data breach exposing 3 million customer records

Destry Winant destry at riskbasedsecurity.com
Mon Oct 28 10:11:16 EDT 2019


https://www.zdnet.com/article/unicredit-reveals-data-breach-exposing-3-million-customer-records/

UniCredit has revealed a data breach resulting in the leak of
information belonging to three million customers.

On Monday, the Italian bank and financial services organization said
that a compromised file, generated in 2015, is the source of the
security incident.

In total, roughly three million records were exposed, revealing the
names, telephone numbers, email addresses, and cities where clients
were registered.

While UniCredit caters to an international client base, each record
related to an Italian customer.

UniCredit is keen to emphasize, however, that the data leak did not
include any financial information or the credentials required to
access client accounts.

Therefore, those involved in the breach have lost Personally
Identifiable Information (PII) which can be used in social engineering
campaigns and potentially contribute to identity theft, but the chance
of unauthorized transactions caused by the data leak is slim.

The company has launched an internal investigation into how the breach
took place and has informed relevant authorities, including law
enforcement. Impacted customers will be informed by post or via online
banking.

CNET: Senators want to know if TikTok poses a national security risk

"Since 2016, the Group has invested an additional 2.4 billion euros in
upgrading and strengthening its IT systems and cybersecurity,"
UniCredit says. "Customer data safety and security is UniCredit's top
priority and in June 2019, the Group implemented a new strong
identification process for access to its web and mobile services, as
well as payment transactions."

This is not the first time UniCredit has faced a data breach incident.
In July 2017, the bank said it had become a victim of data theft due
to a third-party provider accessing Italian customer data without
consent or authorization.

Two separate breaches occurred; one between September and October
2016, and another between June and July 2017. Information belonging to
approximately 400,000 Italian customers was impacted, including PII
and IBAN numbers.


More information about the BreachExchange mailing list