Hackers breach 400,000 UniCredit bank accounts

UniCredit, Italy's No. 1 bank, said hackers took biographical and loan data from 400,000 client accounts in one of the biggest breaches of European banking security this year.

The attack occurred in September and October of 2016 and June to July of this year, according to an emailed statement from the bank on Wednesday. UniCredit only discovered the breaches this week, two people familiar with the matter said, asking not to be identified discussing a possible criminal matter.

Cyberattacks on corporations and banks are accelerating. In May and June, two ransomware assaults swept the globe, freezing databases and knocking out operations at entities ranging from Britain's National Health Service to Russian oil giant Rosneft OAO. Dozens of Ukrainian lenders were also affected by the so-called Petya outbreak last month. Today's disclosure also comes as Italian banks seek to win investor support after struggling with bad loans.

UniCredit signage is displayed outside of the company's office in Rome.
A sign stands outside/on the Unicredit SpA office in Rome, Italy, on Thursday, Dec. 15, 2011. UniCredit SpA's share sale cannot be avoided after the decision of the European Council to give the ECB the task of ensuring that all banks have sufficient liquidity, Chairman Dieter Rampl said at a shareholders meeting today. Photographer: Alessandra Benedetti/Bloomberg

"This is the first attack targeting an Italian bank and confirms that IT systems, particularly in Italy, need massive investment to avoid a loss of confidence," said Francesco Confuorti, chief executive officer of Advantage Financial SA, a Milan-based investment firm. "I expect that this case will lead to Italian banks reviewing their IT systems."

In Europe, lenders such as Barclays Plc, Banco Santander SA and Deutsche Bank AG, have joined forces with law enforcement personnel to mount a unified defense against cybercriminals by sharing expertise and information. Industry chiefs are hiring former intelligence personnel and tapping startups for technology to safeguard their databases.

Given the vast complexity of banking computer systems, it can be hard to root out hackers who burrow deep into networks and can operate for months undetected, said Thomas Lemon, a London-based managing director for technology consulting at Protiviti Ltd.

"You have a complicated IT landscape with huge amounts of data to sift through to see if a breach is occurring," Lemon said. "The bad guys are creative, and the history of past attacks doesn't tell you the right indicators to look for, so you're trying to find a needle in a haystack."

At UniCredit, the intruders gained unauthorized access to customer data through an outside company employed by the bank. The bank's IT department discovered anomalies while conducting checks, finding that some users from the external commercial partner were accessing client data, said Daniele Tonella, CEO of UniCredit Business Integrated Solutions, the IT unit of the bank, in a phone interview. UniCredit immediately blocked the hackers, closed the breaches and upgraded the system, he said.

UniCredit said international bank account numbers, also known as IBANs, and other personal information may have been taken. A spokesman declined to identify the third party involved.

"There aren't material damages for the bank and its clients from these attacks," Tonella said. "No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected."

UniCredit, which is investing 2.3 billion euros in upgrading and strengthening its IT systems, has started an audit and will file a report with the Milan prosecutor, it said. The bank is working to strengthen its core systems and update its digital infrastructure, while ensuring compliance with regulatory requirements.

Cybersecurity experts are bracing for a wave of ever more ambitious hacks to hit in months to come with the often limited ability to catch perpetrators. Banking industry leaders are worried about more than the theft of customers' data or money. Cybercriminals might also damage account databases and render them unusable, said Becky Pinkard, vice president of service delivery and intelligence at Digital Shadows Ltd., a London-based cyberdefense firm.

"Banks are justified in their fear of corrupted data," Pinkard said. "Attackers could harm the bank by adding or subtracting a zero to every balance, or even deleting entire accounts."

Bloomberg News
Data breaches Cyber attacks
MORE FROM AMERICAN BANKER