On March 7, 2024, the Italian data protection authority (Garante) announced in its newsletter decision n. 65 of February 8, 2024, in which it imposed a fine of €2.8 million on UniCredit S.p.A. for violations of the General Data Protection Regulation (GDPR). 

Background to the decision

On October 22, 2018, UniCredit notified the Garante of a data breach following a cyberattack on the online banking system for the mobile web channel which resulted in the illicit acquisition of the personal data of some customers. The personal data acquired included customer names, surnames, and the tax code and internal identification code of the bank, with the exclusion of the customer's bank details. UniCredit stated the attack took place on October 21, 2018, which is the date UniCredit detected a large number of log-in attempts to its mobile banking site after which it immediately proceeded with notification to the Garante. In light of the circumstances, the Garante considered the breach was likely to present a high risk to the rights and freedoms of affected customers and required UniCredit to communicate the violation to affected customers. 

The Garante highlighted that a second investigation was initiated against NTT DATA Italia, which was responsible for conducting the penetration tests and vulnerability assessment activities from October 1, 2018, to October 26, 2018, for UniCredit. The Garante stated that the investigation determined that NTT DATA Italia subsequently contracted with a third company to perform assessments for UniCredit on its behalf without proper authorization from UniCredit. 

Findings of the Garante

The Garante determined that UniCredit failed to verify the effective compliance of the context, purposes, and risks associated with the processing of data carried out in its banking portal, as required in the principles of integrity and confidentiality of Article 5(1)(f) of the GDPR. Regarding the technical and organizational measures required by Article 32 of the GDPR, the Garante noted that UniCredit's failure to adopt technical measures capable of limiting access to personal data to authorized personnel or the interested party resulted in the possibility that the personal data was freely accessible by anyone. 

Mitigating factors considered by the Garante included the fact that following the event, no complaints from affected data subjects were received in addition to the implementation of security measures immediately following the breach. 

Outcomes

In light of the above, the Garante imposed a fine of €2.8 million as a pecuniary administrative sanction for the abovementioned violations to be paid within 30 days of notification of the provision. 

You can read the newsletter here and the decision here, both only available in Italian.