The two-part data breach was reported to authorities by UniCredit after forensic accounting uncovered signs of fraud in some of their own subsidiaries, affecting roughly 400,000 customers.
First Published 28th July 2017
Italians do 'IT' better?
4 min read | Reflare Research Team
UniCredit, Italy’s largest bank by volume and owner of several subsidiary banks across central and eastern Europe, issued a press release this week stating that they fell victim to two separate data breaches. In total, data relating to roughly 400,000 customers were leaked.
The Leaks
The first leak happened between September and October 2016. The second leak happened between June and July 2017. This implies that the first leak went unnoticed until incident forensics were performed after the second leak was discovered. UniCredit claims that the leaks happened through a third-party provider.
This is important to note as such leaks are a current trend. Just two weeks ago Verizon suffered a massive data breach due to the mismanagement of customer information it had entrusted to a third-party data analysis company.
Impact & Disclosure
The press release emphasizes that no passwords or other information that could be abused to make fraudulent transactions were leaked. This is true but only focuses on online banking. While a majority of cyber security-related bank fraud is indeed performed through online banking, the older techniques of bank fraud through identity theft are still employed regularly by criminals.
From that perspective, knowing identifiable information such as names, birthdates, addresses and customer status of a bank’s customers can greatly aid attackers in further attacks.
It appears that the leaks were disclosed almost immediately after their discovery by UniCredit. This is most likely due to a combination of a strong awareness of data breaches among the European public, strong self-regulation among European banks and heavy penalties for late reporting of breaches enforced by European legislators.
Prevention
As in previous similar cases, the mistake leading to the breach appears to have been caused by a third-party provider and not by the core entity impacted by the attack. In pre-IT business strategy, outsourcing critical work to a third party reduced risk for a company. If errors were made, public fallout was limited and the third party could be held responsible.
In the IT age however, the situation has become significantly more complex. While a third party may be at fault it is UniCredit which will suffer the image damage - and image damage is hard to compensate for.
Organizations are advised to verify the IT security capabilities of their third-party partners. Either by relying on industry-standard certifications where available or by forcing the partners to comply with their own audit and training requirements.