The breaches occurred in September and October of 2016 and June to July of this year, the bank said on Wednesday in an emailed statement. Unauthorized access through an Italian third party provider gave access to some customer data related to personal loans, with the lender saying IBAN numbers and other personal data may also have been accessed. IT security experts commented below.
Donato Capitella, Senior Security Consultant at MWR InfoSecurity:
“This compromise of UniCredit customer data confirms the risks that organisations face by interconnecting their own IT systems with the ones belonging to their third party suppliers. The risk is inherent in that the security posture of these third parties often tends to be weaker. Thus, targeting third parties offers the attackers an easier, lower resistance path into the IT systems/data belonging to their larger, critical targets. We have repeatedly observed evidence of this crime displacement effect in our own experience both on the offensive and incident response side.
“It is fundamental for organisations to come to terms with the fact that raising their security posture is essential but not sufficient, especially if they are then willing to interweave their IT systems with third parties whose security posture is insufficient. They have to mandate higher security standards if they do not want to see all of their security investment undermined by the security weaknesses of their partners. At the same time, third parties that can demonstrably step up their security game will become preferred over time, and will undoubtedly have a higher chance to win important contacts in the future.”
David Emm, Principal Researcher at Kaspersky Lab:
This news is an alarming reminder that anybody’s online information can be accessed if not protected sufficiently – and yet another indication that consumers are not the only target of cybercriminals. Online providers, including banks, are themselves at increasing risk of attack, so it’s imperative that they regularly review all of their security procedures, examining possible vulnerabilities. This process should review physical security right through to the outlying areas of the organisation’s infrastructure.
In light of this attack, all online providers should apply a multitude of cyber-security solutions to minimise unauthorised access. They have a duty of care to their customers to secure the personal data they hold.
In the meantime, we advise that all Unicredit customers keep a close eye on their online bank accounts and report anything suspicious. We would also recommend the following top tips:
- Secure your all devices using Internet security software.
- Make sure you apply security updates to your operating system and applications as soon as they are available.
- Only use secure sites. Look for a URL beginning with ‘HTTPS://’– that’s ‘S’ for SECURE. Look also for a closed padlock on the web browser’s address bar – by clicking or double-clicking on it you will be able to see details of the site’s security.
- Use a unique password for every online site – use a mixture of letters, numbers and special characters and make sure they’re at least 15 characters long. Here are some tips to help you.
- Don’t click on random links in e-mails – it’s better to type in a URL yourself, to avoid the risk of ending up on a phishing site.
- Avoid using untrusted public Wi-Fi hotspots for confidential online
- Checkyour accounts regularly to make sure you notice any unusual/fraudulent activity straight away.
Andrew Clarke, EMEA Director at One Identity:
“Through its project “Transform 2019”, Unicredit bank was supposed to invest more than 2.3 billion (euro) to update and reinforce the IT systems. The bank was aware of issues since 2016 and is targeting 2019 before addressing. This demonstrates once again a strategy of reaction vs a proactive action does not pay off. This repeated attack demonstrates that a lack of attention by the business in supporting the Information Systems has had high impact across the whole company.“
“We rely on our service providers to protect our personal information – that is the trust we place in them. When a bank reveals that data has been stolen, even if money has not been stolen, that trust is undermined. In this case, it is believed that name, address and ID card number have been stolen – significant personal identifiable information (PII) that comprises personal integrity. It is the responsibility of the bank to take necessary measures to implement the best available security, such as data governance and for third party access, protection of privileged accounts to safeguard access to systems; and the ability to provide auditable information that, in the event of an incident, can be used to comprehend the impact and correct it. Under GDPR the demonstration of all of these important data governance elements will become even more important.”
