[BreachExchange] Italian Garante Fines Bank 600, 000 Euros for Pre-GDPR Data Breach

[Destry Winant]

https://www.natlawreview.com/article/italian-garante-fines-bank-600000-euros-pre-gdpr-data-breach

The Italian Data Protection Authority (Garante per la protezione dei dati
personali, “Garante”) recently announced that it levied a €600,000 fine on
banking institution UniCredit for several violations of the Italian
Personal Data Protection Code, in its pre-General Data Protection
Regulation (“GDPR”) form.

The sanction was imposed following a data breach that took place between
April 2016 and July 2017 that the banking institution notified to the
Garante at the end of July 2017. As a result of the breach, the personal
data of over 700,000 customers, including contact details, employment data
(e.g., salary information), education data, identification details and
financial data (e.g., bank account number, information on loans, payment
status and customers’ credit ratings), was unlawfully accessed.

The Garante found that the bank had failed to implement adequate security
measures and comply with local requirements regarding the tracking of
banking transactions. In determining the amount of the fine, the Garante
took into account the number of individuals affected by the breach, as well
as the fact that the bank had implemented various security measures to
strengthen the security of its IT systems following the breach.

Read the Garante’s decision
<https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9429195>(in
Italian).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20200706/21663476/attachment.html>