The bank revealed that the security breach occurred through an Italian third party provider. It is one of most serious data breaches reported by the bank.
The bank did not identify the third party provider and did not give out any details on how the breach could have possibly occurred, nor the exact time of the attack and the time at which it realized about the breach.
In last September and October, the first breach of security was noted and a second breach was identified in June and July this year.
The bank also reported that data related to passwords that give access to customer accounts or allowing unauthorized transactions were not affected in the breach, but it suspects that some other personal data and International Bank Account Numbers (IBANs) might have been stolen.
In statement the bank said: “UniCredit has launched an audit and has informed all the relevant authorities. In the morning, UniCredit will also file a claim with the Milan Prosecutor's office. The bank has also taken immediate remedial action to close this breach.”
While the bank had given informed authorities about the security breach, it had also started its own internal security audit, which according to The Register, may tap into at least a part of the €2.3bn budget allocated previously to upgrade and strengthen its IT systems.
The bank detected after 10 months of the first breach and this period could have been crucial time, as hackers could have resorted to phishing attacks to get further data from the bank customers.
Image: Hackers hack data of 400,000 UniCredit customers in Italy. Photo: Courtesy of freedooom/FreeDigitalPhotos.net.