Two security breaches on the largest Italian bank UniCredit S.p.A, have led to the accounts of 400,000 loan customers being accessed and their data being stolen, said the bank on the morning of July 26. The attacks that took place in 2016 were discovered by the bank this week only after it discovered that users from that third party were looking at client data.
According to an emailed statement from the bank on Wednesday, the accounts were hacked in September and October 2016 and most recently, in June and July this year.
The Milan-based bank has said a contractor is to blame for the breach. The attack comes after 80 Ukrainian lenders compromised in June.
The bank said the hackers took biographical and loan data of the clients, including their account numbers, in one of the biggest breaches of European banking security this year. But it added that the accounts’ passwords had not been compromised so the hackers could not have carried out unauthorised transactions, or access bank accounts.
Those affected appear to be customers who have taken out loans with the bank, which the culprit third party dealt with.
A statement from the bank says that it has launched an audit and has informed the relevant authorities. Customers who fear they may be affected are told that they should call their regular branch. The bank will also be contacting customers they know to be affected. Two people familiar with the matter said, asking not to be identified discussing a possible criminal matter.
The attack represents the biggest cyber-incident of its kind reported by an Italian bank till date.
Cyberattacks on corporations and banks are accelerating. In May and June, two ransomware assaults swept the globe, freezing databases and knocking out operations at entities ranging from Britain’s National Health Service to Russian oil giant Rosneft OAO. Dozens of Ukrainian lenders were also affected by the so-called Petya outbreak last month.