UniCredit announced its cyber-security team has identified a data breach that compromised the personal records of approximately three million clients in Italy, highlighting some critical data protection compliance lessons for all in the financial services industry.

The financial services firm said the latest breach relates to a 2015 file containing the names, telephone numbers, and e-mails of the clients. “No other personal data or any bank details permitting access to customer accounts or allowing for unauthorized transactions have been compromised,” the bank stated. UniCredit said it “immediately launched an internal investigation and has informed all the relevant authorities.”

The company added it has spent €2.4 billion (U.S. $2.7 billion) since 2016 to upgrade and strengthen its IT systems and cyber-security practices. In June 2019, UniCredit implemented “a new strong identification process for access to its Web and mobile services, as well as payment transactions,” the bank said. “This new process requires a onetime password or biometric identification, further reinforcing its strong security, and client protection.”

“The financial industry continues to be inundated with breaches,” says James Carder, chief information security officer at LogRhythm Labs, a security research and threat intelligence services firm. “Unfortunately, this latest breach from Italian bank UniCredit is a part of a recurring theme.”

“Even though the bank vies that it has invested in billions of euros worth of upgrades to boost its cyber-security program in the past few years, this data breach unveils how inadequately cyber-security tools are implemented and utilized—and proof that you cannot just throw a bunch of money at the problem,” Carder adds.

Protecting data

“Any organization that is entrusted with customer information must make it a priority to ensure the integrity of that data, especially financial institutions,” says Vinay Sridhara, chief technology officer at Balbix, a firm that leverages artificial intelligence to mitigate the risk of a data breach. “Even though the exposed information did not include any financial information, or the credentials required to access client accounts, the simplicity of this attack showcased how vulnerable banks and other financial corporations are to threat actors.”

Sridhara says it’s imperative that financial institutions’ security teams adopt a proactive cyber-security strategy to safeguard consumer data and comply with regulations, like the EU’s General Data Protection Regulation and California’s Consumer Privacy Act.

A proactive cyber-security strategy means:

  • Implementing tools to automatically discover all IT assets and services;
  • Continuously monitoring for breach risk factors;
  • Maintaining real-time visibility across device, app, and user inventory, as well as attack surfaces; and
  • Conduct a comprehensive risk assessment using “deep learning” and advanced AI algorithms to reveal breach risk insights.

In this way, Sridhara says, “security teams will be able to prioritize vulnerabilities that need to be remediated based on business criticality and take proactive mitigating steps, ultimately increasing their cyber-resilience.”