UniCredit, Italy’s largest bank, has admitted that it suffered two data breaches in the past year, affecting 400,000 customers in total.
In a statement, the bank confirmed that no passwords were stolen in the attacks, which occurred between September and October of 2016 and then June and July this year. UniCredit did concede that personal details and international bank account numbers (IBANs) could have been accessed, but according to the CEO of UnicCredit Business Integrated Solutions, Daniele Tonella, who was speaking to Bloomberg, none of the breached data can be used to carry out financial transactions.UniCredit has tweeted a telephone number for customers to find out whether their accounts have been affected.
Although the attackers may not have been able to access UniCredit customers’ accounts directly, they may be able to use the incident to launch secondary attacks. The Register warns: “Affected customers are at heightened risk of follow-up phishing attacks that leverage the spilled data in order to coax out yet more sensitive information.”
Speaking to The Register, Nick Pollard, security intelligence and analytics director at Nuix, said that this breach is a “prime example of knowing where the data is, but not ensuring it is properly protected and managed.”
He added: “Whilst the fact they know this shows they are doing a better job than most, the delay in revealing this goes to show that any business with large amounts of data must have full understanding of where, how and who manages it.”
When the EU General Data Protection Regulation (GPDR) takes effect in May 2018, the penalties for data breaches will skyrocket. Any organisation that fails to comply with the Regulation could face fines of up to €20 million or 4% of its annual global turnover – whichever is greater.
The Regulation also introduces much stronger compliance requirements, including the need to report a breach within 72 hours of discovering it.
With the implementation of the GDPR less than a year away, many organisations are looking for qualified personnel to help them achieve compliance. There is currently a severe lack of qualified personnel for skilled positions such as the data protection officer (DPO). If you’re interested in filling that gap, you should consider registering for our Certified GDPR Foundation and Practitioner Combination Course.
The course will help you gain a thorough understanding of the Regulation and a practical understanding of the methods and tools for implementing and managing an effective compliance framework. It will also explain how to fulfil the DPO role.