Data protection compliance lessons from UniCredit breach

By Jaclyn Jaeger2019-10-29T19:03:00+00:00

No comments

UniCredit announced its cyber-security team has identified a data breach that compromised the personal records of approximately three million clients in Italy, highlighting some critical data protection compliance lessons for all in the financial services industry.

The financial services firm said the latest breach relates to a 2015 file containing the names, telephone numbers, and e-mails of the clients. “No other personal data or any bank details permitting access to customer accounts or allowing for unauthorized transactions have been compromised,” the bank stated. UniCredit said it “immediately launched an internal investigation and has informed all the relevant authorities.”

The company added it has spent €2.4 billion (U.S. $2.7 billion) since 2016 to upgrade and strengthen its IT systems and cyber-security practices. In June 2019, UniCredit implemented “a new strong identification process for access to its Web and mobile services, as well as payment transactions,” the bank said. “This new process requires a onetime password or biometric identification, further reinforcing its strong security, and client protection.”

“The financial industry continues to be inundated with breaches,” says James Carder, chief information security officer at LogRhythm Labs, a security research and threat intelligence services firm. “Unfortunately, this latest breach from Italian bank UniCredit is a part of a recurring theme.”

“Even though the bank vies that it has invested in billions of euros worth of upgrades to boost its cyber-security program in the past few years, this data breach unveils how inadequately cyber-security tools are implemented and utilized—and proof that you cannot just throw a bunch of money at the problem,” Carder adds.

Protecting data

“Any organization that is entrusted with customer information must make it a priority to ensure the integrity of that data, especially financial institutions,” says Vinay Sridhara, chief technology officer at Balbix, a firm that leverages artificial intelligence to mitigate the risk of a data breach. “Even though the exposed information did not include any financial information, or the credentials required to access client accounts, the simplicity of this attack showcased how vulnerable banks and other financial corporations are to threat actors.”

Sridhara says it’s imperative that financial institutions’ security teams adopt a proactive cyber-security strategy to safeguard consumer data and comply with regulations, like the EU’s General Data Protection Regulation and California’s Consumer Privacy Act.

A proactive cyber-security strategy means:

Implementing tools to automatically discover all IT assets and services;
Continuously monitoring for breach risk factors;
Maintaining real-time visibility across device, app, and user inventory, as well as attack surfaces; and
Conduct a comprehensive risk assessment using “deep learning” and advanced AI algorithms to reveal breach risk insights.

In this way, Sridhara says, “security teams will be able to prioritize vulnerabilities that need to be remediated based on business criticality and take proactive mitigating steps, ultimately increasing their cyber-resilience.”

Jaclyn JaegerJaclyn Jaeger is a freelance contributor to Compliance Week after working for the company for 15 years. She writes on a wide variety of topics, including ethics and compliance, risk management, legal, enforcement, technology, and more.View full Profile

Topics

No comments

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.

Article
California governor gives nod of approval to 7 CCPA amendments

2019-10-15T18:40:00Z By Lori Tripoli

Amendments to the California Consumer Privacy Act add clarity, offer a BTB communication reprieve to businesses, and ensure consumers have a method for submitting more information requests.
Article
Survey highlights pain points of GDPR implementation

2019-09-16T15:03:00Z By Neil Hodge

Most organizations failed to meet the May 2018 deadline to comply with the launch of the EU’s tough new privacy rules, and the majority of them still find compliance a challenge, according to a recent survey.
Article
How GDPR, CCPA impact healthcare compliance

2019-08-12T19:46:00Z By Tony Howlett

While most healthcare organizations have pretty much nailed down their data privacy requirements for HIPAA and HITECH, new privacy mandates under the GDPR and CCPA could throw a wrench into the system.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from Data Privacy

Premium
EDPB decision sparks ‘consent or pay’ debate for Big Tech firms

2024-04-19T19:16:00Z By Neil Hodge

Big Tech firms might need to rethink their plans to charge users for not selling their personal data for behavioral advertising following a decision by Europe’s primary data regulator.
News Brief
CPPA warns of collecting too much data in first enforcement advisory

2024-04-05T19:40:00Z By Adrianne Appel

The California Privacy Protection Agency warned businesses to stop asking for excessive information from consumers who have requested to opt out of having their data collected or who are otherwise exercising their privacy rights under the California Consumer Privacy Act.
News Brief
DOT launches first data privacy review of 10 biggest airlines

2024-03-22T16:27:00Z By Jeff Dale

The U.S. Department of Transportation is looking to thwart the nation’s 10 largest airlines from monetizing passenger data or selling it to third parties.