Hundreds of thousands of clients of Italian bank UniCredit have had their accounts hacked through one of the bank's third party suppliers.
The bank said on the morning of 26 July that around 400,000 of its clients accounts were accessed and their personal data stolen. The accounts were hacked in September and October 2016 and most recently, in June and July this year.
Those affected appear to be customers who have taken out loans with the bank, which the culprit third party dealt with. The bank happened upon the intrusion after it discovered that users from that third party were looking at client data.
The bank told press that no credentials were stolen, nor was anything that could allow hackers to access bank accounts to steal funds. IBAN Data and some personal information may have been accessed though.
A statement from the bank says that it has launched an audit and has informed the relevant authorities. Customers who fear they may be affected are told that theyshould call their regular branch. The bank will also be contacting customers they know to be affected.
Banks are popular targets for cyber-criminals for the wealth of critical information, both personal and proprietary, they often hold. That, and they literally are ‘where the money is.'
All of this occurs against a backdrop of the bank actually bolstering its cyber-defences and it has invested €2.3 billion (£2 billion) in defending itself against attack.
Still, this is the second breach that UniCredit have experienced in a year. Matt Walmseley, EMEA director for Vectra told SC, “UniCredit needs to a take hard look at its security posture as well as that of its supply chain. It must make efforts to learn and adapt to new and changing threats. Automating the way that cyber-security personnel monitor and discover hidden threats is essential to protect customer information and identities.”
While business often outsource data handling to third parties, “businesses have a duty of care to protect personal information regardless of whether they manage it in-house or out-of-house. Data management and security policies need to be put in place to carefully control, manage and audit the scope of third-party contractor access to information.”
He added, “customer confidence needs to be restored before long-term reputational damage takes place.”
UniCredit may be less fortunate when the EU's General Data Protection regulation (GDPR) comes into force next year. The landmark piece of regulation sets to redefine the data protection landscape in the European Union and introduces several new measures, including responsibility for the security of third party partners. If a company is breached through one of its third partners, then it will be held responsible for that breach and may incur fines of up to four percent of global turnover.