Italy’s data protection authority has imposed a fine of €2.8m on UniCredit, the second-largest bank in the country, for a data breach that occurred in 2018.
The fine relates to a cyber attack on the bank’s mobile banking platform in 2018, which resulted in sensitive information including names, tax codes and other identification details of approximately 750,000 customers being leaked.
“Banks must take all necessary technical and organisational and security measures to prevent their customers’ data from being unlawfully stolen,” the authority said.
In response, UniCredit has announced plans to appeal the data protection authority’s decision, stating that the incident had been immediately resolved and no bank data had been compromised in the breach.
However, this breach wasn’t the Bank’s first. In 2017, the bank disclosed that personal financial information belonging to approximately 400,000 customers who had obtained loans through the institution had been unlawfully accessed by unauthorised third parties.
Additionally, in 2019 UniCredit discovered yet another data breach, this time impacting the personal records of over three million customers.
In addition to appealing the authority’s decision, the Italian Bank has said that it is investing €2.8bn as part of a programme to reinforce protection.
Just over two months in 2024, the year has shaped up to an active one when it comes to regulatory enforcement action against banks, with instances occurring across various markets.
JP Morgan was charged in January by the US Securities and Exchange Commission (SEC), due to the Bank ‘impending hundreds of advisory clients and brokerage customers’ from reporting potential securities law violations between March 2020 and July 2023.
