Cyber Incident Victim: Banca Monte dei Paschi di Siena

On March 30, 2020, hackers compromised employee mailboxes at Italy’s Monte dei Paschi di Siena (MPS), enabling them to send fraudulent emails to bank clients. The attackers transmitted messages containing voice mail attachments, though the notice sent to customers did not specify whether these attachments contained malware or phishing attempts. MPS confirmed the incident in a customer communication reviewed by Reuters, clarifying that unauthorized third parties had accessed staff email accounts to distribute these communications. The bank did not disclose the number of affected employees or customers, nor did it confirm whether client data or financial systems were breached. No information was provided regarding potential financial losses incurred by customers, and the bank declined further comment when contacted by Reuters.

The attack occurred amid heightened cybersecurity warnings across Italy during the COVID-19 pandemic, as criminals exploited public anxiety over health and economic disruptions. Italian authorities had reported increased cybercrime targeting remote banking, e-commerce, and COVID-19-related communications, with fraudsters impersonating banks and government agencies to harvest credentials. Police advisories specifically cautioned citizens to scrutinize emails from financial institutions, noting a surge in home banking scams during nationwide lockdowns. While MPS implemented customer notifications, no technical containment measures, forensic findings, or attacker attribution details were disclosed in the available documentation. The incident underscored broader sector vulnerabilities as banks adapted to remote operations amid Italy’s movement restrictions.