UniCredit unveils data breach involving 3 million Italian clients- Comment

According to reports, UniCredit has uncovered a data breach involving the personal records of 3 million domestic clients, it said on Monday, the third security incident at Italy’s top bank in recent years.

Commenting on this, Rosemary O’Neill, director – customer delivery at NuData Security, a Mastercard company, said “All customer information is valuable to fraudsters, even if it doesn’t include financial information such as bank account details or credit and debit card numbers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial breach.

The bank has been taking steps to improve its security since its previous breaches, but bad actors still found a gap they capitalised for this last attack. It is positive to know that the institution is working fast on a new business plan by early December that hopefully includes technologies that protect from a broader range of attacks. However, they should also work on improving their user verification framework to prevent this breach from affecting their existing customers through account takeover attacks.


“We must change the current equation of “breach = fraud” by changing how companies think about online user verification; the key is to make the stolen data valueless. Companies can use technologies that detect when a user account is taken over by an impostor with the stolen credentials. Most of the time, the data is used on automated attacks that good bot-detection can detect, but a portion of the attacks still happen manually, making it challenging for companies to discern who is behind the device. This is why technologies that look at inherent user patterns like passive biometrics are providing confidence after a breach happens. If a customer has the right information but is behaving unusually, passive biometrics and behavioural technologies can detect this, thwarting the fraud attempt. The balance of power will return to customer protection when more companies implement such technologies.”


Jelle Wieringa, technical evangelist at KnowBe4, added “The incident at UniCredit shows that spending money alone isn’t enough to safeguard an organization from data breaches. After the breach in 2016, the bank invested an additional Euro 2.4bn in its security. That is an awful lot of money to spend only to find out it wasn’t enough to stop the bad guys from getting in and stealing information. Now there  isn’t very much known about the way the breach took place, but there is still a lesson which can be learned from this. Even at this early stage.

“Spending money in itself isn’t enough. You need to spend it wisely. Especially in cybersecurity, where the amount of ways an attacker can get to you are huge and budgets for an average organization are finite. Spend it where it will matter most, where you get the best bang for your buck (or in this case Euro..). Around 91% of all successful data breach hes happen through the use of Social Engineering. They manipulate the human to gain entry to what they want. This is by far more than any other type of attack. This means that if you want to spend your money wisely, think about securing the human factor of your organization. You still need to spend money on a solid perimeter defense, and a up-to-date monitoring system such as a a SIEM. But forgetting about the human factor is like locking all the doors on your house, but leaving all the windows wide open.

“And the most efficient way to safeguard the human factor is by training them what is wrong and how they can make smarter security decisions. teach them, through proper security awareness training, to recognize when someone is trying to get confidential information from them. Also, teach users the value of information. In this instance, a file from 2015 was stolen. Under GDPR, itt still counts as a data breach, since probably most of the data in their is still valid. People tend to forget the value of data over time. especially if they are confronted with large amounts of it every day. information fatigue is a real thing. In this case, training the users the value of data wouldn’t have been enough. They would take it in, and forget it after a while. That is why User Awareness training should always be a continuous process. This way, we keep the things that matter top of mind.”