UniCredit SpA, Italy’s No. 1 bank, said hackers took biographical and loan data from 400,000 client accounts in one of the biggest breaches of European banking security this year.
The attack occurred in September and October of 2016 and June and July of this year, according to an emailed statement from the bank on Wednesday. UniCredit only discovered the breaches this week, two people familiar with the matter said, asking not to be identified discussing a possible criminal matter.
Cyberattacks on corporations and banks are accelerating. In May and June, two ransomware assaults swept the globe, freezing databases and knocking out operations at entities ranging from Britain’s National Health Service to Russian oil giant Rosneft OAO. Dozens of Ukrainian lenders were also affected by the so-called Petya outbreak last month.
“This is the first attack targeting an Italian bank and confirms that IT systems, particularly in Italy, need massive investment to avoid a loss of confidence,” said Francesco Confuorti, chief executive officer of Advantage Financial SA, a Milan-based investment firm. “I expect that this case will lead to Italian banks reviewing their IT systems.”
Today’s hack also comes after the Italian financial system had stabilized, with the nation’s taxpayers funding the wind-down of two troubled banks earlier this year.
In Europe, lenders such as Barclays Plc, Banco Santander SA and Deutsche Bank AG have joined forces with law-enforcement personnel to mount a unified defense against cyber-criminals by sharing expertise and information. Industry chiefs are hiring former intelligence personnel and tapping startups for technology to safeguard their databases.
Given the vast complexity of banking computer systems, it can be hard to root out hackers who burrow deep into networks and can operate for months undetected, said Thomas Lemon, a London-based managing director for technology consulting at Protiviti Ltd.
“You have a complicated IT landscape with huge amounts of data to sift through to see if a breach is occurring,” Lemon said. “The bad guys are creative, and the history of past attacks doesn’t tell you the right indicators to look for, so you’re trying to find a needle in a haystack.”
At UniCredit, the intruders gained unauthorized access to customer data through an outside company employed by the bank. The bank’s IT department discovered anomalies while conducting checks, finding that some users from the external commercial partner were accessing client data, said Daniele Tonella, CEO of UniCredit Business Integrated Solutions, the IT unit of the bank, in a phone interview. UniCredit immediately blocked the hackers, closed the breaches and upgraded the system, he said.
UniCredit said international bank account numbers, also known as IBANs, and other personal information may have been taken. A spokesman declined to identify the third party involved.
“There aren’t material damages for the bank and its clients from these attacks,” Tonella said. “No data, such as passwords allowing access to customer accounts or allowing for unauthorized transactions, has been affected.”
UniCredit, which is investing 2.3 billion euros in upgrading and strengthening its IT systems, has started an audit and will file a report with the Milan prosecutor, it said. The bank is working to strengthen its core systems and update its digital infrastructure, while ensuring compliance with regulatory requirements.
The country’s central bank and the Association of Italian Banks are monitoring the situation with a computer emergency response team created last year to strengthen financial cybersecurity, a Bank of Italy spokeswoman said in Rome.
Cybersecurity experts are bracing for a wave of ever-more-ambitious hacks to hit in months to come, while their ability to catch perpetrators is often limited. Banking leaders are worried about more than the theft of customers’ data or money: cyber-criminals might also damage account databases and render them unusable, said Becky Pinkard, vice president of service delivery and intelligence at Digital Shadows Ltd., a London-based cyber-defense firm.
“Banks are justified in their fear of corrupted data,” Pinkard said. “Attackers could harm the bank by adding or subtracting a zero to every balance, or even deleting entire accounts.”