Hackers potentially gained unauthorized access to the personal loan accounts belonging to 400,000 customers of UniCredit.
On 26 July, the Italian global banking and financial services company sent out an email statement to affected customers. It says the two data breaches occurred in September and October 2016 and June and July 2017. The notice also provides some details about what information the two security incidents potentially exposed.
As quoted by Financial Times:
“No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected, whilst some other personal data and IBAN numbers might have been accessed.”
IBAN, which is short for International Banking Account Number, is a system that banks use to identify banking numbers across national boundaries, thereby facilitating cross-border transactions with a reduced risk of identification errors.
Italy’s leading lender detected the two data breaches after it brought on a new IT director. As reported by Bloomberg, the newly headed IT department detected issues with processing checks and traced the problems back to an external commercial partner, of which some users were accessing customers’ accounts. UniCredit responded by blocking the intruders.
The banking company intends to file a report about the breaches, which aren’t the first-ever security incidents to affect banking customers’ accounts, with the Milan prosecutor. It also plans to invest 2.3 billion euros ($2.7 billion) in updating and strengthening its IT system. Those improvements will include continuously updating its infrastructure, strengthening its existing infrastructure with digitalization, and building on the technological development of core systems, all while ensuring compliance with regulatory frameworks.
The changes proposed by UniCredit no doubt take into consideration the General Data Protection Regulation (GDPR), which is set to take full effect on 25 May 2018. If they want to avoid fines for breaching the Regulation, penalties which amount to either four percent of annual global turnover or 20 million euros (whichever is greater), companies need to ensure they maintain compliance with the GDPR.
For information on how Tripwire can automate companies’ GDPR compliance, click here.