This week it was revealed that the major Italian bank Unicredit has had a series of major data security breaches that have gone undetected for almost 12 months, resulting in the exposure of personal data of 400,000 loan applicants. According to Bloomberg, hackers have accessed details that include customer data including IBAN numbers and other, identifiable information. Unicredit have said that the cause of the incident was unauthorized access through an Italian third party provider. In a prepared, English language statement, Unicredit said:
“A first breach seems to have occurred in September and October 2016 and a second breach which has just been identified in June and July 2017. Data of approximately 400,000 customers in Italy is assumed to have been impacted during these two periods. No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected, whilst some other personal data and IBAN numbers might have been accessed.”
The breach shows the importance of organisations across Europe (and the wider world) of the importance of complying with the forthcoming European Union’s General Data Protection Regulations that will come into force on May 25, 2018.
Nick Pollard, security intelligence and analytics director at Nuix, noted that the breach took place less than a year before tougher data protection rules in the shape of the General Data Protection Regulation (GDPR) comes into force in Europe. “This latest data breach goes to show the importance of a unified regulation such as GDPR in making third parties accountable for security concerns. GDPR ensures that data is accounted for, protected and access to it is managed,” he said.
“The recent UniCredit data breach is a prime example of knowing where the data is, but not ensuring it is properly protected and managed. 400,000 customers’ data was put at risk by a third-party supplier. Whilst the fact they know this shows they are doing a better job than most, the delay in revealing this goes to show that any business with large amounts of data must have full understanding of where, how and who manages it.”
If such a breach was to happen following the implementation of GDPR, then Unicredit could be looking at a cripplingly large fine, with companies who fail to comply with the General Data Protection Regulations facing fines of up to €20,000,000 or up to 4% of global turnover, whichever is greater. Speaking to Infosecurity magazine, Jonathan Armstrong, partner at Cordery, said that, “In the case of the TalkTalk breach, the ICO fine was 80% of the maximum. As Unicredit seem to have had a turnover of €859.533 billion in 2016, the maximum fine could be around €34bn – and an equivalent fine (using the TalkTalk fine as a guide) of €27bn.”