Third Party Breach Leaks Records from Italyu00e2u20acu2122s Largest Bank
UniCredit, Italy’s largest bank by volume and owner of several subsidiary banks across central and eastern Europe, issued a press release this week stating that they fell victim to two separate data breaches. In total, data relating to roughly 400,000 customers was leaked.
The first leak happened between September and October 2016. The second leak happened between June and July 2017. This implies that the first leak went unnoticed until incident forensics were performed after the second leak was discovered. UniCredit claims that the leaks happened through a third party provider.
This is important to note as such leaks are a current trend. Just two weeks ago Verizon suffered a massive data breach due to mismanagement of customer information it had entrusted to a third party data analysis company.
Impact & Disclosure
The press release emphasizes that no passwords or other information that could be abused to make fraudulent transactions were leaked. This is true but only focuses on online banking. While a majority of cyber security related bank fraud is indeed performed though online banking, the older techniques of bank fraud through identity theft are still employed regularly by criminals.
From that perspective, knowing identifiable information such as names, birthdates, addresses and customer status about a bank’s customers can greatly aid attackers in further attacks.
It appears that the leaks were disclosed almost immediately after their discovery by UniCredit. This is most likely due to a combination of a strong awareness for data breaches among the European public, strong self regulation among European banks and heavy penalties for late reporting of breaches enforced by European legislators.
As in previous similar cases, the mistake leading to the breach appears to have been caused by a third party provider and not by the core entity impacted by the attack. In pre-IT business strategy, outsourcing critical work to third party reduced risk for a company. If errors were made, public fallout was limited and the third party could be held responsible.
In the IT age however, the situation has become significantly more complex. While a third party may be at fault it is UniCredit which will suffer the image damage - and image damage is hard to compensate for.
Organizations are advised to verify the IT security capabilities of their third party partners. Either by relying on industry standard certifications where available or by forcing the partners to comply with their own audit and training requirements.