Cyber Incident Victim: Intesa Sanpaolo
Date:
Sep 2015
Location:
Italy
Summary
Hackers from Ghost Italy, affiliated with Anonymous, breached Intesa Sanpaolo and Unipol Banca, exfiltrating 90 databases containing customer and employee emails, phone numbers, usernames, and passwords. The compromised data, posted publicly, was claimed by the group as part of #OpBankDump to criticize financial institutions' exploitation practices. The bank asserted that the leaked information originated from an external provider, involved encrypted credentials, and posed no risk to clients. The attackers aimed to demonstrate inadequate data protection and protest perceived societal harm caused by banks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 27, 2015, hackers affiliated with Ghost Italy, an external cell of Anonymous Italia, publicly claimed responsibility for breaching Intesa Sanpaolo and Unipol Banca under the operation #OpBankDump. The group announced the attack at approximately 17:00 via online channels, including Ghostbin—a platform commonly used by Anonymous to publish communications—and through web chats coordinating their activities. Ghost Italy asserted it had exfiltrated 90 databases containing approximately 6,000 records of email addresses, phone numbers, usernames, and passwords belonging to customers, employees, and corporate clients of the targeted banks. The leaked data also included information linked to other entities such as Wind, Enel, and Engitel, organized primarily by domain name and company affiliation. In their manifesto accompanying the data dump, the group framed the attack as a protest against financial institutions, accusing banks of exploiting public welfare and operating without accountability. Ghost Italy explicitly stated the breach aimed to expose inadequate data protection practices, alleging banks wasted customer funds on ineffective security measures despite holding sensitive information. The hackers referenced prior operations against Italian police websites during that summer, reinforcing their pattern of ideologically motivated cyber activism targeting institutional entities.
Both Intesa Sanpaolo and Unipol Banca denied unauthorized access to their internal systems when contacted by media. Intesa confirmed the authenticity of the leaked data but clarified it originated from an external provider, not the bank’s direct infrastructure. The bank emphasized the compromised passwords were encrypted versions provided to the third-party vendor, rendering them operationally useless for accessing actual customer accounts or banking profiles. This assessment indicated minimal direct risk to client assets or transactional systems, though some exposed personal details like phone numbers and email addresses were validated as accurate. Unipol Banca similarly rejected claims of system penetration, aligning its response with Intesa’s technical rebuttal. Ghost Italy maintained the attack demonstrated institutional negligence toward data privacy, citing the presence of 90 databases during the Intesa breach as evidence of systemic vulnerabilities. No customer financial losses or account compromises were reported following the incident. The operation highlighted tensions between hacktivist collectives and financial institutions while underscoring supply-chain risks in banking data management.