The leading Italian bank UniCredit yesterday announced that approximately 400,000 of its customers' data were exposed when a third party provider was hacked, BBC News reports. The third party hasn't been publicly identified.
According to Reuters, the incident is the most serious data breach ever reported by a major Italian financial institution.
The bank says the data was stolen in two separate breaches, one in September and October of 2016 and the second in June and July of 2017. While customers' personal information was exposed, UniCredit says no passwords were accessed.
"UniCredit has launched an audit and has informed all the relevant authorities," the bank said in a statement. "In the morning, UniCredit will also file a claim with the Milan Prosecutor's office. The bank has also taken immediate remedial action to close this breach."
Reuters reports that prosecutors in Milan have begun a probe into the breach.
Basic Security Hygiene
Paul Norris, senior systems engineer for EMEA at Tripwire, told eSecurity Planet by email that the fact that two separate breaches occurred in less than a year indicates the organization urgently needs to evaluate its security measures.
"Basic security hygiene needs to be adopted by all enterprises, not just financial institutions, and this includes secure configurations and vulnerability management, as well as performing specific threat assessment and countermeasures, which will reduce the overall risk of future attacks," Norris said.
Evident.io CEO Tim Prendergast said by email that customers have a right to expect that their personal information will be handled securely. "Enterprises, therefore, must demand that their partners operate according to the same security rules and protocols they abide by when it comes to customer data," he said.
"It should be a requirement that all partners use continuous security monitoring of their cloud environments, and adhere to rigorous security protocols if they want to work with a vendor," Prendergast added.
Bottom Line Impact
Matt Walmsley, EMEA director at Vectra Networks, said the breach is a stark reminder that businesses need to take extra care with who can access sensitive customer data. "In an effort to save costs, businesses often outsource functions to third-party providers and external contractors," he said. "However, businesses have a duty of care to protect personal information regardless of whether they manage it in-house or out-of-house."
Regardless of the cause, the impact of a breach on a company's bottom line can be significant. A recent Ponemon Institute survey, sponsored by Centrify, found that the stock value index of 113 companies declined by an average of five percent on the day a breach was disclosed, and the companies experienced up to a seven percent customer churn.
Even more strikingly, 31 percent of consumers impacted by a breach said they discontinued their relationship with the organization that experienced the breach.
"Data breaches are very real business and bottom line concerns," Centrify CEO Tom Kemp said in a statement.