​Italian DPA fines UniCredit $3M over data breach GDPR lapses

The penalty, assessed in February but revealed by Garante in a translated newsletter Thursday, came in response to a 2018 data breach at UniCredit that exposed the information of hundreds of thousands of customers.

UniCredit said in an emailed statement it would challenge the regulator’s decision.

The details: A 2018 cyberattack at UniCredit impacted the data of more than 750,000 customers, according to Garante. Acquired data included names, surnames, tax codes, and identification codes, while a subset of about 6,800 customers also had their PIN numbers exposed.

The regulator’s investigation into the incident found the bank “had not adopted technical and security measures capable of effectively countering any cyberattacks and preventing its customers from using weak PINs,” according to the newsletter.

In a related matter, Garante said it assessed a penalty of €800,000 (U.S. $862,000) against cybersecurity services provider NTT Data Italia for not timely informing UniCredit of vulnerabilities in its system and subcontracting some of its work without authorization by the bank.

Compliance considerations: In assessing its penalty against UniCredit, Garante said it considered the number of customers impacted by the incident and the bank’s economic status. Mitigating factors included timely adoption of corrective measures, customer support the bank provided, and that banking data was not exposed by the breach.

Bank response: “The decision of the Italian data protection authority concerns an incident—dating back to 2018—that affected a fraction of Italian customers without any compromise of bank data,” the bank said in its statement. “Moreover, such incident was immediately resolved and notified in compliance with all relevant regulations.”

UniCredit added it is investing nearly €3 billion (U.S. $3.3 billion) toward enhancing its IT security systems as part of a 2022-24 business plan.