Experts On UniCredit Reveals Data Breach Exposing 3 Million Customer Records

It has been reported that UniCredit has revealed a data breach resulting in the leak of information belonging to three million customers. On Monday, the Italian bank and financial services organisation said that a compromised file, generated in 2015, is the source of the security incident.’’ In total, roughly three million records were exposed, revealing the names, telephone numbers, email addresses, and cities where clients were registered. 

Experts Comments

October 29, 2019
Jonathan Knudsen
Senior Security Strategist
Synopsys
For anyone who has ever thought, "no one will ever find this," the ongoing parade of disclosures about unprotected databases should raise a big red flag. How do we ensure this never happens again? Education is the first step. Anyone who understands the danger of exposing data on the internet will make better choices, like requiring authentication and encrypting data at rest. Policy is the second step. Enforcing a policy that any public-facing server configuration must be reviewed and approved.....Read More
For anyone who has ever thought, "no one will ever find this," the ongoing parade of disclosures about unprotected databases should raise a big red flag. How do we ensure this never happens again? Education is the first step. Anyone who understands the danger of exposing data on the internet will make better choices, like requiring authentication and encrypting data at rest. Policy is the second step. Enforcing a policy that any public-facing server configuration must be reviewed and approved would help minimise the risk of these types of incidents.  Read Less
October 30, 2019
Mike Bittner
Associate Director of Digital Security and Operations
The Media Trust
Malicious and nation state actors often fix their crosshairs on third-party providers because they are known to have poor security measures in place and provide trusted access to the digital assets of many clients. Hacking into these third parties is a frequently used strategy for campaigns with an eye to spreading malware, public discord and disinformation, election interference, personal data theft, and fraud. Carefully vetting digital vendors, enforcing digital policies, and closely.....Read More
Malicious and nation state actors often fix their crosshairs on third-party providers because they are known to have poor security measures in place and provide trusted access to the digital assets of many clients. Hacking into these third parties is a frequently used strategy for campaigns with an eye to spreading malware, public discord and disinformation, election interference, personal data theft, and fraud. Carefully vetting digital vendors, enforcing digital policies, and closely monitoring vendor activities can drastically reduce the risk of being hacked. Government organizations in particular should bolster their defenses as they fall prey to a variety of attackers who want access to their audiences and data trove.  Read Less
October 30, 2019
Rosemary O'Neill
Director - Customer Delivery
NuData Security
All customer information is valuable to fraudsters, even if it doesn’t include financial information such as bank account details or credit and debit card numbers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world......Read More
All customer information is valuable to fraudsters, even if it doesn’t include financial information such as bank account details or credit and debit card numbers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial breach. The bank has been taking steps to improve its security since its previous breaches, but bad actors still found a gap they capitalised for this last attack. It is positive to know that the institution is working fast on a new business plan by early December that hopefully includes technologies that protect from a broader range of attacks. However, they should also work on improving their user verification framework to prevent this breach from affecting their existing customers through account takeover attacks. We must change the current equation of "breach = fraud" by changing how companies think about online user verification; the key is to make the stolen data valueless. Companies can use technologies that detect when a user account is taken over by an impostor with the stolen credentials. Most of the time, the data is used on automated attacks that good bot-detection can detect, but a portion of the attacks still happen manually, making it challenging for companies to discern who is behind the device. This is why technologies that look at inherent user patterns like passive biometrics are providing confidence after a breach happens. If a customer has the right information but is behaving unusually, passive biometrics and behavioural technologies can detect this, thwarting the fraud attempt. The balance of power will return to customer protection when more companies implement such technologies.  Read Less
October 30, 2019
Grant McCracken
Director, Solutions Architecture
Bugcrowd
Given that the UniCredit compromise came as the result of a file from 2015, the file in question was likely an improperly stored backup file of some nature. While not extremely common, this is something we do see a fair amount in the wild - a database that got deprecated, but never destroyed, or a backup file left exposed in an S3 bucket, just waiting for someone to stumble upon it. In fact, a similar issue happened to DoorDash just barely a month ago. Given the age of this file, it’s.....Read More
Given that the UniCredit compromise came as the result of a file from 2015, the file in question was likely an improperly stored backup file of some nature. While not extremely common, this is something we do see a fair amount in the wild - a database that got deprecated, but never destroyed, or a backup file left exposed in an S3 bucket, just waiting for someone to stumble upon it. In fact, a similar issue happened to DoorDash just barely a month ago. Given the age of this file, it’s unlikely that it was stolen in relation to their current production app, but instead was an unsecured vestigial or forgotten asset that led to the compromise of the greater organization. This goes to show that it’s important to understand your entire attack surface and all the associated unknowns; attackers rarely come in through the front door. They’re clever adversaries and will scour the internet for the lowest hanging fruit that will allow for the highest degree of compromise - whether unprotected, unpatched, old servers, exposed buckets, or anything else. Securing your organization is never as simple as securing your primary assets - there are so many other attack surfaces out there that you might not be aware of. When you put human creativity up against these adversaries to find these unknown assets and vulnerabilities, you’re taking the power back, identifying and securing assets before they can be exploited.  Read Less
October 30, 2019
Shpend Kurtishaj
Director of International Security Operations
Bugcrowd
The breach at UniCredit underscores the fact that software vulnerabilities are not the only cause for data breaches, and that (trusted) people with access to sensitive information have to be considered in a risk assessment. People make mistakes, we’re in the business of catching mistakes and fixing them. I recommend setting up policies that prohibit storing personally identifiable information in an unencrypted form and strictly enforcing it. When looking at the UniCredit incident, it’s .....Read More
The breach at UniCredit underscores the fact that software vulnerabilities are not the only cause for data breaches, and that (trusted) people with access to sensitive information have to be considered in a risk assessment. People make mistakes, we’re in the business of catching mistakes and fixing them. I recommend setting up policies that prohibit storing personally identifiable information in an unencrypted form and strictly enforcing it. When looking at the UniCredit incident, it’s clear that they either did not such a policy or it wasn’t followed, giving attackers an open invitation to grab data. Having a vulnerability disclosure program can help avoid these situations, first by incentivizing whitehat security researchers to look for them, and second by giving whoever found the data an ethical option to report it.  Read Less
October 29, 2019
Jelle Wieringa
Technical Evangelist
KnowBe4
The incident at UniCredit shows that spending money alone isn't enough to safeguard an organization from data breaches. After the breach in 2016, the bank invested an additional Euro 2.4bn in its security. That is an awful lot of money to spend only to find out it wasn't enough to stop the bad guys from getting in and stealing information. There isn't very much known about the way the UniCredit breach took place. But there is still a lesson which can be learned from this. Even at this early .....Read More
The incident at UniCredit shows that spending money alone isn't enough to safeguard an organization from data breaches. After the breach in 2016, the bank invested an additional Euro 2.4bn in its security. That is an awful lot of money to spend only to find out it wasn't enough to stop the bad guys from getting in and stealing information. There isn't very much known about the way the UniCredit breach took place. But there is still a lesson which can be learned from this. Even at this early stage. Spending money in itself isn't enough. Organizations need to spend it where it will matter most, where they get the best bang for the buck (or Euro). Around 91% of all successful data breaches happen through the use of Social Engineering. Bad actors manipulate users to gain entry to whatever assets they want, which makes securing the human factor of the organization a priority. The most efficient way to safeguard the human factor is by helping employees to make smarter security decisions through ongoing security awareness training, so that they recognize when someone is trying to get confidential information from them. It’s also important to teach users the value of information. In this instance, a file from 2015 was stolen. Under GDPR, it counts as a data breach, since it’s likely that most of the data is still valid. People tend to forget the value of data over time, especially if they are confronted with large amounts of it every day, and information fatigue is a real thing. Organizations still need to spend money on a solid perimeter defense, and an up-to-date monitoring system such as a SIEM. But forgetting about the human factor is like locking all the doors on a house but leaving all the windows wide open.  Read Less
October 29, 2019
James Carder
Chief Information Security Officer & Vice President
LogRhythm Labs
The financial industry continues to be inundated with breaches, and unfortunately, this latest breach from Italian bank UniCredit is a part of a recurring theme. Even though the bank vies that it has invested in billions of euros worth of upgrades to boost its cybersecurity program in the past few years, this data breach unveils how inadequately cybersecurity tools are implemented and utilized – and proof that you cannot just throw a bunch of money at the problem. In today’s modern,.....Read More
The financial industry continues to be inundated with breaches, and unfortunately, this latest breach from Italian bank UniCredit is a part of a recurring theme. Even though the bank vies that it has invested in billions of euros worth of upgrades to boost its cybersecurity program in the past few years, this data breach unveils how inadequately cybersecurity tools are implemented and utilized – and proof that you cannot just throw a bunch of money at the problem. In today’s modern, data-centric landscape, customers’ personally identifiable information (PII) is more vulnerable to attack than ever before. There is no doubt that there are thousands of financial institutions with sensitive data stored that have similarly been compromised and have yet to find the threat. If they want to prevent security incidents from transforming into catastrophic breaches, they must have a coherent strategy; leverage the latest in detection, automation, and orchestration technologies; and ensure that these tools are bi-directionally integrated and battle tested.  Read Less
October 29, 2019
Sam Curry
Chief Security Officer
Cybereason
The hackers have a machine that is ready to grind up identities, and they will point it at the industries, countries, and organisations that give them the fastest path to the most money with the least cost and risk. Not-for-profit organisations often have the least resources for support functions, like security, and in the old days of hacking were considered inappropriate targets. Once upon a time, hackers didn’t attack “muggles,” to borrow from JK Rowling’s Harry Potter lexicon. Not so .....Read More
The hackers have a machine that is ready to grind up identities, and they will point it at the industries, countries, and organisations that give them the fastest path to the most money with the least cost and risk. Not-for-profit organisations often have the least resources for support functions, like security, and in the old days of hacking were considered inappropriate targets. Once upon a time, hackers didn’t attack “muggles,” to borrow from JK Rowling’s Harry Potter lexicon. Not so anymore with the almighty dollar dominating the dark side. Everyone can have vulnerabilities and weaknesses, but the American Cancer Society breach should be a wake-up call to everyone: if you aren’t improving your security posture and hygiene constantly, it’s a question of when, not if, the great credit card fraud machinery of organised cybercrime comes for you.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.