UniCredit S.p.A., multinational financial business and Italy’s largest bank by assets, has disclosed a data breach incident involving a file containing roughly three million records.
"The UniCredit cyber security team has identified a data incident involving a file generated in 2015 containing a defined set of approximately three million records limited to the Italian perimeter," said the bank's disclosure.
"The records consist of names, city, telephone number and email only. Consequently no other personal data or any bank details permitting access to customer accounts or allowing for unauthorised transactions have been compromised," it added.
"All customer information is valuable to fraudsters, even if it doesn’t include financial information such as bank account details or credit and debit card numbers," commented Rosemary O'Neill, director - customer delivery at NuData Security.
"Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cyber-criminals and used for myriad criminal activities, both on the Internet and in the physical world."
UniCredit did not explain what caused the breach, but assured that it "immediately launched an internal investigation and has informed all the relevant authorities, including the police".
SC Media UK reported in August that the bank launched an internal investigation in connection to the Capital One breach, without divulging the nature of investigation or the scope of a possible breach.
The breach disclosure comes with assurances tha the bank has since 2016 invested EUR 2.4 billion (£2 billion) in upgrading and strengthening its IT systems and cyber-security. "In June 2019, the Group implemented a new strong identification process for access to its web and mobile services, as well as payment transactions," it said.
"That is an awful lot of money to spend only to find out it wasn't enough to stop the bad guys from getting in and stealing information," said Jelle Wieringa, technical evangelist at KnowBe4.
"Spending money in itself isn't enough. You need to spend it wisely. Especially in cybersecurity, where the amount of ways an attacker can get to you are huge and budgets for an average organization are finite. Spend it where it will matter most."
The human factor has to be secured by effective training and awareness, in order to detect unauthorised access confidential information from them and undersntand the value of the information they handle, noted Wieringa.
"In this instance, a file from 2015 was stolen. Under GDPR, itt still counts as a data breach, since probably most of the data in their is still valid. People tend to forget the value of data over time. especially if they are confronted with large amounts of it every day."