Incident Of The Week: UniCredit Breach Impacts 3 Million Clients

A shared characteristic of many recent data breaches is that they concern incidents that happened years ago and only recently came to light. Such an issue happened to UniCredit. The brand is an Italian banking and financial services company that operates in 14 core markets throughout Central, Western and Eastern Europe.

UniCredit opened most of its offices in Europe. However, it maintains a global presence that includes being active in places elsewhere such as North and South America, Libya and Japan.

What is Known About This Breach?

The official details about the breach from UniCredit are still limited to what the company published in a short news release on its website. On the morning of October 28, 2019, the company confirmed that its cyber security team discovered a "data incident."

It related to a single file created in 2015 that contained details associated with approximately 3 million customers in UniCredit's Italian market. According to a Reuters article, the company cannot disclose how the breach happened.

See Related: Incident Of The Week: Indian Bank Loses $13.5M In Costly Cyber-Attack

What Kind of Information Got Compromised?

UniCredit confirmed that the breached document included customer names, telephone numbers, email addresses and cities. It also said that the problem did not extend to any other personal or banking details, nor would the compromised content allow hackers to carry out unauthorized transactions.

How Did UniCredit Respond?

UniCredit representatives promptly launched an internal investigation to get to the bottom of the breach. They contacted relevant authorities, including law enforcement personnel, too. The company is notifying all potentially affected customers by postal mail and online banking messages. The company also encouraged anyone with concerns to contact the customer service team at a provided toll-free number.

What Will UniCredit Do to Prevent Similar Incidents?

Immediately after news breaks about a data breach, members of the public understandably want to know how the affected companies will stop another one from occurring. In this case, UniCredit focused on what it has already done and stayed silent regarding changes it would make after the breach happened.

The release from the company focused on the company's current business plan, known as Transform 2019. It's an initiative launched in 2016 with targets that the company wants to meet by the end of 2019.

While publishing information about its data breach, UniCredit specifically mentioned Transform 2019's efforts to improve cyber security. For starters, the company invested an extra €2.4 bn into upgrades for its IT infrastructure and cyber security measures.

In June 2019, UniCredit took another positive cyber security step by strengthening the authentication process for customers using its web, mobile banking and payment services. More specifically, people must use a one-time password or biometric identification to proceed in the system while using those platforms or services.

Those are smart steps to take. It is arguably worrisome that the firm did not give information to stop further breaches after it got informed about this one, though.

See Related: Incident Of The Week: HSBC Bank Alerts U.S. Customers Of Data Breach

Has UniCredit Had Previous Data Breaches?

The incident in late-October 2019 is not the first time the company dealt with cyber security issues. News sources detailed how 2017 was a particularly rough year for UniCredit on the cyber security front. The company became aware of two data breaches, the first occurring between September-October 2016 and another one during June and July of 2017.

It took the company nearly nine months to realize the first data breach. In the statement about those two incidents, UniCredit said those also affected the Italian market. They collectively included data from approximately 400,000 customers.

The organization mentioned then that it had "taken remedial action to close this breach." It did not specify the actions performed as part of that goal, however.

Uncertainty Reigns

UniCredit has not provided further updates beyond its initial, brief statement about this latest cyber security problem. The lack of concrete information concerning preventative measures suggests that current or prospective clients of UniCredit can do nothing more than trust that the company will do what is necessary to fix its data security shortcomings.

That could be difficult for some people to do, especially considering that UniCredit is a repeat victim of successful cyber security attacks. No company should view itself wholly protected from data breaches.

The public may find it easier to trust breached companies if those organizations specifically mention their mitigation strategies. UniCredit has yet to take that step, but it is too soon to say if that decision will prove detrimental.

See Related: Top 8 Industries Reporting Data Breaches In The First Half Of 2019