UniCredit says 400,000 accounts were hacked, exposing data

UniCredit SpA said hackers accessed about 400,000 client bank accounts in Italy, taking biographical and loan data in one of the biggest breaches in Europe to date.

The incidents occurred in September and October of 2016 and June to July of this year, the bank said on yesterday in an emailed statement. Unauthorized access was gained through an Italian third-party provider to some customer data related to personal loans, with the lender saying IBAN numbers and other personal data may also have been reached. A spokesman declined to identify the third party involved.

Banks are boosting cyber-defense budgets and hiring former intelligence and law enforcement officials to build up defenses against hackers as lenders open their networks to connect with new money-management apps and other fintech offerings. In the U.K., banks such as Barclays Plc and Deutsche Bank AG have joined forces with law enforcement in a unit called the Cyber Defence Alliance.

The most recent attacks were detected between Monday and Tuesday and led to the discovery of the incidents that took place last year, two people familiar with the matter said, asking not to be identified discussing a possible criminal matter.

“I expect that this case will lead to all Italian banks reviewing their IT systems,” said Francesco Confuorti, chief executive officer of Advantage Financial SA, a Milan-based investment firm. “This is the first attack targeting an Italian bank and confirms that IT systems, particularly in Italy, need massive investment to avoid a loss of confidence.”

Banking industry leaders are worried about more than the theft of customers’ data or money. Cybercriminals might also damage account databases and render them unusable, said Becky Pinkard, vice president of service delivery and intelligence at Digital Shadows Ltd., a London-based cyberdefense firm.

“Banks are justified in their fear of corrupted data,” Pinkard said. “Attackers could harm the bank by adding or subtracting a zero to every balance, or even deleting entire accounts.”

In May and June, two ransomware attacks dubbed WannaCry and Petya swept the globe and temporarily crippled operations in entities ranging from Britain’s National Health Service to oil companies and automakers. While Western banks were unaffected, the Petya attack penetrated 80 Ukrainian banks. Cybersecurity experts are bracing for more hacks of this magnitude in the months to come.

The breach at UniCredit involved customers with financing and consumer-credit loans, Daniele Tonella, CEO of UniCredit Business Integrated Solutions, the IT unit of the bank, said in a phone interview. The bank’s IT department discovered anomalies while conducting checks, finding that some users from an external commercial partner were accessing client data. UniCredit, immediately blocked the intruders, closed the breaches and upgraded the system, he said.

“There aren’t material damages for the bank and its clients from these attacks,” Tonella said. “No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected.”

UniCredit, which is investing 2.3 billion euros (USD2.7 billion) in upgrading and strengthening its IT systems, has started an audit and will file a report with the Milan prosecutor, it said. The bank’s IT investments include the strengthening of infrastructure through digitalization activities, technological development of core systems and the continuous updating of the infrastructure, while ensuring compliance with regulatory requirements. Sonia Sirletti, Edward Robinson, Bloomberg