UniCredit bank breach – Data of 400,000 loan applicants exposed due to the hack of a partner

UniCredit bank breach – Data of 400,000 loan applicants exposed due to the hack of a partner. Italian media outlets downplay the risk, is it correct?

The Italian bank UniCredit admitted a series of security breaches occurred in the last year, personal data of 400,000 loan applicants have been exposed.

The Italian bank confirmed that hackers compromised the systems of an unnamed third-party provider for exposing Italian customer data. – including International Bank Account Numbers (IBANs).

“UniCredit today announced it has been the victim of a  security breach in Italy due to unauthorised access through an Italian third party provider to Italian customer data related to personal loans only.” reads the statement published by Unicredit.

“A first breach seems to have occurred in September and October 2016 and a second breach which has just been identified in June and  July 2017. Data of approximately 400,000 customers in Italy is assumed to have been impacted during these two periods. No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected, whilst some other personal data and IBAN numbers might have been accessed.”

The financial institution confirmed that a first security breach occurred in late 2016, between September and October, while the second violation was detected between June and July 2017.

UniCredit is one of the major Italian banks, as part of Transform 2019, the bank is investing  2.3 billion euro in upgrading and strengthening its IT systems.

According to UniCredit, the breach at Italy’s biggest lender was detected 10 months after the initial compromise.

As you know I’m Italian, and I can tell you that the first reaction of the Italian media outlets was to say that there is no risk for the Unicredit customers because login credentials were not exposed.

This is not correct in my humble opinion and spread such kind of false sense of security is very dangerous.

Even if crooks cannot use stolen data to access Unicredit customer accounts, users must be informed of frauds that can be conducted by cyber criminals to deceive them.

It is easy to predict a spike in spear phishing attacks against Unicredit customers, and information stolen by hackers could make malicious messages hard to detect to common people, especially when the media outlets ensured them by saying that there is no risk.

Spear phishing campaigns could also allow crooks to bypass security measures like two-factor authentication systems. Let’s think of a phishing message including a link to a clone of the legitimate bank website. The bogus website could trick victims into providing the login credentials and also the 2FA code, then the attacker can impersonate the victim and make transactions on his behalf.

There is also the concrete risk that crooks will offer stolen data on black marketplaces allowing hackers to use them in many fraud scheme.

Even if stolen data doesn’t include email addresses, it is quite easy for hackers to use retrieve them from data dumps from other data breaches once the name of a bank customer is exposed.

Another disconcerting aspect of the UniCredit bank breach is the fact that the attack started several months ago and was disclosed only now?

This means that companies face severe difficulties in detecting fraudulent activities and raises the debate on the level of security for the entire supply chain. Once again, hackers targeted a subcontractor or a partner to violate the security of a biggest organization.

Let me close suggesting Unicredit users stay vigilant on their bank accounts, reporting any suspicious activity. Be careful to any kind of unsolicited message from the bank.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  (UniCredit bank breach, data breach)

[adrotate banner=”13″]