Italy’s UniCredit reveals data attack involving 400,000 clients

MILAN (Reuters) – Suspected hackers have accessed client data of Italy’s biggest lender, UniCredit (CRDI.MI), in two attacks in the past 10 months and affected about 400,000 Italian customers, the most serious data breach ever reported by a major Italian lender.

No passwords were stolen in the attacks, which first occurred in September and October of 2016 and again in June and July of this year, but personal and banking details could have been accessed, UniCredit said in a statement.

The attacks were carried out through an external commercial partner, which UniCredit did not identify. Wednesday’s statement also did not describe how the intruders accessed the data nor when the bank became aware of the first intrusion.

A source familiar with the matter said the bank had only uncovered the data breaches between Monday and Tuesday.

“The bank immediately adopted all necessary measures to prevent a repeat of such intrusions,” the bank said, adding that it had notified law-enforcement authorities.

The head of UniCredit’s information technology unit, Daniele Tonella, said none of the data accessed by the attackers allowed any financial transaction to be carried out.

“We don’t know why this data was acquired,” he told Reuters, adding that it also did not know who was behind the attacks.

Attacks on banks in recent years have become more sophisticated and resulted in mounting financial losses.

They have evolved beyond data breaches, in which personal information are stolen, to include denial-of-service attacks which have knocked out access to online banking services for up to several days and even intrusions into core banking systems.

Last November, attackers stole more than 2.5 million pounds ($3.25 million) from Tesco Bank in Britain’s largest disclosed cyber heist.

UniCredit shares were down 0.9 percent at 16.87 euros in late morning trade.

Additional reporting by Silvia Aloisi; Editing by Mark Bendeich and Edmund Blair