Cyber Incident Victim: UniCredit SpA

In April 2020, data purportedly belonging to approximately 3,000 UniCredit SpA employees appeared for sale on cybercrime forums, as reported by Telsy, a cybersecurity unit of Telecom Italia SpA. The dataset, advertised on April 19, included employee names, email addresses, phone numbers, and encrypted passwords. Telsy assessed the database as likely authentic and attributed its compromise to a potential SQL injection attack—a technique involving malicious code insertion into application databases. UniCredit confirmed awareness of the incident but clarified that its mention stemmed from an alleged breach involving a third-party HR recruiting platform in Romania, emphasizing no evidence indicated unauthorized access to UniCredit’s internal systems. The bank initiated an investigation and engaged relevant authorities while reiterating its commitment to data security.

The seller offered the data in tiered packages: access to 3,000 employee names cost $1,000, while a $10,000 package included 150,000 rows of data described as UniCredit records from late 2018 to 2019. This incident followed a 2019 breach disclosed by UniCredit, which exposed names, phone numbers, and emails of 3 million customers. The bank highlighted its multi-billion-euro cybersecurity and IT modernization investments since 2016 as part of its defense strategy. No operational disruptions or client financial losses were reported in connection with the 2020 incident, though the exposure of employee credentials and personal details raised concerns over potential secondary attacks or identity theft. UniCredit maintained that data protection remained a priority but did not disclose remediation steps for affected employees or specifics about the third-party platform’s involvement.