In recent years, global financial services companies have too often become victims of carefully planned cyber attacks designed to steal personal information and banking account details of customers. The latest financial services giant to suffer a data breach is Italian banking giant UniCredit, which has more than 8,500 branches in 18 different countries. The banking giant says that a single file dating back to 2015 has been compromised, thereby revealing some personally identifiable information (PII) of nearly 3 million customers.
A “data incident” or “data breach”?
According to UniCredit, the personally identifiable information involved in the breach includes names, telephone numbers, email addresses, and the names of cities where these customers were registered. However, says UniCredit, the compromised file generated in 2015 did not include any other personal information, and it did not include any banking account information that would enable the hackers to make unauthorized transactions.
Moreover, the bank says this so-called “data incident” was “limited to the Italian perimeter.” What this means in practical terms is that any of UniCredit’s banking customers located across Europe outside of Italy can breathe a sigh of relief, since this data breach seems to have affected only Italian clients. Moreover, since the file dates back to 2015, it probably means that any UniCredit banking customers who registered for an account after that point are also probably safe.
Notably, UniCredit is referring to this high-profile data breach as a “data incident.” Most likely, this is being done to avoid any type of repercussions under the European General Data Protection Regulation (GDPR), which has the authority to impose stiff fines on companies that fail to report data breaches in a timely manner, or that allow personally identifiable information to be accessed as part of a data breach. There is currently some debate as to whether this UniCredit data breach involving Italian customers would fall under the purview of the GDPR. According to some regulatory experts, it really depends on whether the data embedded in that 2015 file is still relevant today. If the data is still valid, and can still be used by hackers to defraud customers, then this security incident would most likely fall under the regulatory purview of the GDPR.
A spotty history of internal cyber security at UniCredit
The UniCredit data breach is all the more embarrassing because it now marks the third data breach that the company has suffered in recent years. In July 2017, for example, UniCredit acknowledged that it had been the victim of data theft as part of two separate incidents. One data breach took place in September-October 2016, and a second data breach took place in June-July 2017. All told, over 400,000 Italian customers had their personal data compromised.
Investment on cyber security at UniCredit
The announcement of this new data breach is also embarrassing because the Italian banking has been spending aggressively to bolster its cyber defenses. But now it looks like part of that investment may have been squandered. Starting back in 2016, the bank has invested €2.4 billion in upgrading its IT systems and cyber capabilities.
One of the centerpieces of that new strategy was the implementation of a new, much stronger identification process. The new ID process is based around two-factor authentication anytime a customer wants to use a mobile or web service, or make an online payment transaction. That is one of the reasons why the latest data breach at UniCredit might not be as damaging as it might have been just a few years ago. Even though the compromised file included email addresses, that information alone would not be enough to access a bank account under a multi-factor authentication process.
James Carder, Chief Information Security Officer & Vice President of LogRhythm Labs, comments on UniCredit’s efforts to fix its cyber problems: “The financial industry continues to be inundated with breaches, and unfortunately, this latest breach from Italian bank UniCredit is a part of a recurring theme. Even though the bank vows that it has invested in billions of Euros worth of upgrades to boost its cybersecurity program in the past few years, this data breach unveils how inadequately cybersecurity tools are implemented and utilized – and proof that you cannot just throw a bunch of money at the problem.”
Jelle Wieringa, Technical Evangelist, KnowBe4, also suggests that UniCredit could have spent its cyber investment more wisely: “Spending money in itself isn’t enough. Organizations need to spend it where it will matter most, where they get the best bang for the buck (or Euro). Around 91 percent of all successful data breaches happen through the use of social engineering. Bad actors manipulate users to gain entry to whatever assets they want, which makes securing the human factor of the organization a priority. The most efficient way to safeguard the human factor is by helping employees to make smarter security decisions through ongoing security awareness training, so that they recognize when someone is trying to get confidential information from them.”
Risks to banking customers
According to UniCredit, customers affected by the breach should not be worried about unauthorized banking transactions (i.e. hackers can’t drain the bank accounts of data breach victims). Instead, the Italian bank says that there are three other more probable outcomes. One of these, of course, is that the personal information will be used to carry out phishing scams. Another scenario is that hackers might attempt to carry out identity theft. And, finally, another scenario is that hackers might try to carry out synthetic identity fraud, in which a mix of real and fake personal information is blended together to create a “synthetic identity.” In other words, personal information from a “Marco in Milan” might be used to create a synthetic “Maurizio in Montepulciano.”
For that reason, UniCredit banking customers should exercise caution when replying to suspicious emails. To reduce the risks of any new frauds from being carried out, the bank says it is already working with Italian police and other authorities, and has also launched an internal investigation.
Lessons learned from the UniCredit data breach
One of the biggest takeaway lessons from this UniCredit data breach is that spending money alone is not enough to safeguard an organization from data breaches. Instead, organizations must create an entirely new culture of security, in which the privacy and protection of customer data is paramount. The time to act is not after a major data breach has already taken place; rather, the time to act is in advance of any new data breach. Every policy and every business process should be re-thought from the perspective of privacy and cyber security best practices.
Another big takeaway lesson from the UniCredit data breach is the importance of transparency. In the past, organizations that had been the victim of a data breach attempted to hide the incident from public view, and reported it only grudgingly, at a much later date. Now, the new emphasis appears to be on transparency, and on working closely with law enforcement. While a bank and financial services company like UniCredit might take a short-term hit to its reputation after divulging a major security flaw, it will also send a clear warning to hackers and cybercriminals that any attempt to compromise user data and personal information will be met with a quick and swift response from law enforcement. Hopefully, that will be enough to dissuade hackers from future data breaches in the financial services industry.