UniCredit has revealed a data breach affecting 400,000 customers who suffered unauthorised access to their personal loan accounts at Italy’s biggest bank.
The Milan-based lender blamed a “third-party provider” for the two data breaches it discovered, which it said happened between September and October 2016 and again between June and July of this year.
“No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected, whilst some other personal data and IBAN numbers might have been accessed,” the bank said.
Since Jean-Pierre Mustier took over as chief executive of UniCredit a year ago he has made upgrading and strengthening its technology a top priority alongside shoring up its balance sheet. Earlier this year, he raised €13bn in a rights issue.
UniCredit, which has allocated €2.3bn to modernise its IT systems, said the breach had been detected after a shake-up of management and procedures by Daniele Tonella, who was hired from Axa as the bank’s new IT director in January.
The Italian lender published a toll-free number for customers to call about the issue and said it would be contacting people affected through “specific channels” — not by phone or email — but thought to be by post.
Several of the world’s biggest banks have suffered embarrassing data breaches and system outages — including Royal Bank of Scotland and JPMorgan Chase — as they struggle to protect their ageing IT systems from the growing menace of hackers and cyber criminals.
From next March, such data breaches will become much more expensive and could result in fines of up to 4 per cent of total revenue being imposed under the EU’s incoming General Data Protection Regulation.
UniCredit’s IT security problems came to light on Monday evening and it informed the regulator on Tuesday. Mr Tonella said it was not sure whether the intrusion had been carried out by the Italian third-party service provider or a “malicious actor” that gained access to customer accounts through the third party.
He added the breach only affected customers of its “prestiti personali” service that provides small consumer loans, some of which are repaid via deductions from a borrower’s salary.
As far as the bank can tell, no customer has lost money as a result of the intrusion. But the personal data that customers entered to take out the loans — such as their name, address and ID card number — are believed to have been stolen. “We have had no complaints from customers,” Mr Tonella said.