Cyber Incident Victim: UniCredit SpA

UniCredit disclosed a data breach on October 28, 2019, involving unauthorized access to a 2015 file containing personal records of approximately 3 million Italian clients. The compromised data included customer email addresses and telephone numbers but excluded information enabling direct account access or unauthorized transactions. Initial evidence of the breach emerged on October 24, 2019, with confirmation occurring over the subsequent weekend, prompting immediate notification to Italian law enforcement and regulatory authorities. This marked the third cybersecurity incident affecting UniCredit since 2016, though the bank emphasized no connection to prior breaches through a commercial partner in 2016-2017 that impacted 400,000 customers. An internal investigation was initiated to determine the breach methodology, though no technical specifics or attacker attribution were disclosed publicly. The bank began notifying affected clients through postal mail and online banking alerts while maintaining that operational systems remained secure.

The incident occurred amid UniCredit's multi-year €2.4 billion IT infrastructure modernization program launched in 2016 following previous security failures. Italian financial police confirmed active investigations into potential criminal violations related to the data access. No operational disruptions or financial fraud incidents were reported stemming from the breach. UniCredit shares declined 0.4% on the announcement date, consistent with sector-wide performance trends. The disclosure coincided with preparations for a new business plan scheduled for December 2019 presentation. Corporate communications emphasized containment of the breach's scope to non-financial customer data and reaffirmed ongoing cybersecurity investments. No further details regarding breach duration, attacker identity, or specific system vulnerabilities were released during the initial disclosure phase.