Italy’s data protection authority (DPA) has fined UniCredit, one of the country’s large-scale retail banks, over a 2018 data breach case that affected more than 750,000 customers.
The cyber-attack on the bank’s mobile banking platform in 2018 resulted in the illicit acquisition of names, tax codes, and other identification codes for customers and former customers.
DPA said that it has considered the large number of people involved in the data breach and its seriousness, along with the timely adoption of corrective measures.
UniCredit is planning to appeal the DPA decision to court, adding that no bank data had been compromised and the incident had been immediately resolved.
“The security of customer data is a top priority for UniCredit, adding it was investing 2.8 billion euros as part of a programme to reinforce protection.”
In 2017, UniCredit announced that the personal financial data of some 400,000 customers, who have taken out loans through the bank, had been compromised by unauthorised third parties.
In 2019, the bank announced another data breach that affected the personal records of more than three million customers, according to a Finextra report.
In 2021, The European Commission (EC) found that UniCredit and other banks were violating the EU antitrust rules by participating in bond trading cartels.
Other banks include Bank of America, Natixis, Nomura, NatWest, UBS, and WestLB (Portigon).
A group of traders from the specific banks participated in a cartel in the primary and secondary market for European Government Bonds (EGB) from 2007 to 2011.
In a separate development, Italy’s DPA also launched an investigation into a service developed by Microsoft-backed Open AI that can generate videos based on text prompts.
The regulator asked Open AI to clarify whether the data it employs for its product, known as Sora, is in line with European Union (EU) regulations.
The Italian regulator is one of the bloc’s most proactive authorities in assessing AI platform compliance with the EU’s data privacy regime.
In addition, DPA asked how the algorithm was trained, which data were collected and used to train it, and if the service is already available to users in the EU and Italy.