UniCredit Bank Suffers ‘Data Incident’ Exposing 3 Million Italian Customer Records

UniCredit, an Italian global banking and financial services company, announced today that it suffered a security incident that leaked some personal information belonging to at least 3 million of its domestic customers.

Officially founded in 1870, UniCredit is Italy’s biggest banking and financial services and one of the leading European commercial banks with more than 8,500 branches across 17 countries.

What happened? — Though there’s UniCredit did not disclose any details on how the data incident happened, the bank did confirm that an unknown attacker has compromised a file created in 2015 containing three million records relating only to its Italian customers.

What type of information was compromised? — The leaked data contains personal information of 3 million customers, including their:

• Names
• Cities
• Telephone numbers
• Email addresses

What type of information was not compromised? — Unicredit confirmed that the compromised user records did not include any other personal data or bank details that would permit attackers access to customer accounts or allow unauthorized transactions.

What is UniCredit now doing? — The company immediately launched an internal investigation to investigate the incident and verify the extent of the breach, as well as informed all the relevant authorities, including law enforcement.

The company has also begun contacting all potentially affected customers by online banking notifications and/or post.

The bank also said it had placed additional security controls to harden the safety and security of its customers’ data.

“Customer data safety and security is UniCredit’s top priority, and since the 2016 launch of Transform 2019, the Group has invested an additional 2.4 billion euro in upgrading and strengthening its IT systems and cybersecurity,” UniCredit said.

“In June 2019, the Group implemented a new strong identification process for access to its web and mobile services, as well as payment transactions. This new process requires a one-time password or biometric identification, further reinforcing its strong security and client protection.”

What affected customers should do now? — Though the compromised data doesn’t include any banking or financial data, it is always a good idea to be vigilant and keep a close eye on your bank and payment card statements for any unusual activity and report to the bank, if you find any.

This is not the first time when UniCredit has been a victim of such a data security incident. In 2017, the bank disclosed two similar data breaches—one occurred between September and October 2016 and another between June and July 2017— that affected nearly 400,000 Italian customers.