It has been reported that UniCredit has revealed a data breach resulting in the leak of information belonging to three million customers. On Monday, the Italian bank and financial services organisation said that a compromised file, generated in 2015, is the source of the security incident.’’ In total, roughly three million records were exposed, revealing the names, telephone numbers, email addresses, and cities where clients were registered.
Malicious and nation state actors often fix their crosshairs on third-party providers because they are known to have poor security measures in place and provide trusted access to the digital assets of many clients. Hacking into these third parties is a frequently used strategy for campaigns with an eye to spreading malware, public discord and disinformation, election interference, personal data theft, and fraud. Carefully vetting digital vendors, enforcing digital policies, and closely monitoring vendor activities can drastically reduce the risk of being hacked. Government organizations in particular should bolster their defenses as they fall prey to a variety of attackers who want access to their audiences and data trove.
All customer information is valuable to fraudsters, even if it doesn’t include financial information such as bank account details or credit and debit card numbers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial breach.
The bank has been taking steps to improve its security since its previous breaches, but bad actors still found a gap they capitalised for this last attack. It is positive to know that the institution is working fast on a new business plan by early December that hopefully includes technologies that protect from a broader range of attacks. However, they should also work on improving their user verification framework to prevent this breach from affecting their existing customers through account takeover attacks.
We must change the current equation of \”breach = fraud\” by changing how companies think about online user verification; the key is to make the stolen data valueless. Companies can use technologies that detect when a user account is taken over by an impostor with the stolen credentials. Most of the time, the data is used on automated attacks that good bot-detection can detect, but a portion of the attacks still happen manually, making it challenging for companies to discern who is behind the device. This is why technologies that look at inherent user patterns like passive biometrics are providing confidence after a breach happens. If a customer has the right information but is behaving unusually, passive biometrics and behavioural technologies can detect this, thwarting the fraud attempt. The balance of power will return to customer protection when more companies implement such technologies.
Given that the UniCredit compromise came as the result of a file from 2015, the file in question was likely an improperly stored backup file of some nature. While not extremely common, this is something we do see a fair amount in the wild – a database that got deprecated, but never destroyed, or a backup file left exposed in an S3 bucket, just waiting for someone to stumble upon it. In fact, a similar issue happened to DoorDash just barely a month ago.
Given the age of this file, it’s unlikely that it was stolen in relation to their current production app, but instead was an unsecured vestigial or forgotten asset that led to the compromise of the greater organization. This goes to show that it’s important to understand your entire attack surface and all the associated unknowns; attackers rarely come in through the front door. They’re clever adversaries and will scour the internet for the lowest hanging fruit that will allow for the highest degree of compromise – whether unprotected, unpatched, old servers, exposed buckets, or anything else.
Securing your organization is never as simple as securing your primary assets – there are so many other attack surfaces out there that you might not be aware of. When you put human creativity up against these adversaries to find these unknown assets and vulnerabilities, you’re taking the power back, identifying and securing assets before they can be exploited.
The breach at UniCredit underscores the fact that software vulnerabilities are not the only cause for data breaches, and that (trusted) people with access to sensitive information have to be considered in a risk assessment. People make mistakes, we’re in the business of catching mistakes and fixing them.
I recommend setting up policies that prohibit storing personally identifiable information in an unencrypted form and strictly enforcing it. When looking at the UniCredit incident, it’s clear that they either did not such a policy or it wasn’t followed, giving attackers an open invitation to grab data.
Having a vulnerability disclosure program can help avoid these situations, first by incentivizing whitehat security researchers to look for them, and second by giving whoever found the data an ethical option to report it.
The incident at UniCredit shows that spending money alone isn\’t enough to safeguard an organization from data breaches. After the breach in 2016, the bank invested an additional Euro 2.4bn in its security. That is an awful lot of money to spend only to find out it wasn\’t enough to stop the bad guys from getting in and stealing information.
There isn\’t very much known about the way the UniCredit breach took place. But there is still a lesson which can be learned from this. Even at this early stage.
Spending money in itself isn\’t enough. Organizations need to spend it where it will matter most, where they get the best bang for the buck (or Euro). Around 91% of all successful data breaches happen through the use of Social Engineering. Bad actors manipulate users to gain entry to whatever assets they want, which makes securing the human factor of the organization a priority. The most efficient way to safeguard the human factor is by helping employees to make smarter security decisions through ongoing security awareness training, so that they recognize when someone is trying to get confidential information from them.
It’s also important to teach users the value of information. In this instance, a file from 2015 was stolen. Under GDPR, it counts as a data breach, since it’s likely that most of the data is still valid. People tend to forget the value of data over time, especially if they are confronted with large amounts of it every day, and information fatigue is a real thing.
Organizations still need to spend money on a solid perimeter defense, and an up-to-date monitoring system such as a SIEM. But forgetting about the human factor is like locking all the doors on a house but leaving all the windows wide open.