UniCredit, Italy's biggest banking group, has been hit by a massive data breach, which included identifying information and account numbers.
UniCredit operates in about 50 markets worldwide and is particularly active across Europe. The bank revealed this week that it had suffered the breach, following unauthorised access to Italian customer data related to personal loans, via a third-party provider.
Two breaches took place: in September and October last year, and June and July this year. While personal data was stolen, passwords were not, the bank advises, so unauthorised transactions cannot be made.
In a statement, the bank said that it had launched an investigation and informed 'the relevant authorities'. It is also filing a claim with the Milan Prosecutor's Office and claims to have taken action to close the breach.
UniCredit has published a phone number (+39 800 323285) that customers can call to find out if they have been affected. It also said that it is spending €2.3bn to upgrade its IT systems as part of its Transform 2019 plan.
The breach would have opened the bank up to a painfully large fine under the EU General Data Protection Regulation (GDPR), if the legislation had been fully active. The GDPR comes into full effect next May.
Peter Carlisle, vice president of EMEA at Thales e-Security, told V3 that banks "will continue to be a top target for malicious hackers".
He continued: "These threats must be met head on, through rigorous encryption polices and detailed security procedures to prepare for an attack before it happens.
"By embracing encryption, tokenisation and key management, stolen personal data can be rendered useless to hackers, minimising the damage of these breaches, should they occur.
"With less than a year to go until the GDPR, organisations need to ensure they are complying with regulations or risk not only extreme fines, but customer data, loyalty and ultimately, their reputation."
Use the same password for every website? It might be time to change them all
Applicants for parking bay suspensions put at risk of credit card fraud by Islington Council
Robert Swan appointed interim CEO after Brian Krzanich's departure
Should you link your data sets to add value, or leave them separate to reduce risk?