Data stolen from Italy’s Unicredit allegedly came via a cyber breach into a company contracted by Unicredit to provide HR services. The data went on sale April 19, and reportedly includes employee names, email addresses, phone numbers and encrypted passwords. Telecom Italia unit Telsy reported that “the database appears to be genuine and the potential result of a SQL injection attack”.
Unicredit’s repeated cyber breaches and data leaks point to continued poor cyber governance at the beleaguered banking group.
Unicredit has been a consistent underperformer on cyber governance per Cyberhedge ratings. This latest incident is the fourth publicly reported breach to hit the Italian banking group since September 2016. The repeated breaches and continued poor cyber ratings demonstrate that Unicredit is not adequately managing its technology—a problem for a company in a sector that is increasingly digitizing all aspects of the business.
While the breach occurred via a third-party HR recruiting platform, and not directly into Unicredit’s IT systems, this incident once again highlights the fact that a company’s technology management extends to the cyber practices of third parties and vulnerabilities thereof. Cyber governance takes into account not just direct links into the corporate IT network, but also to sensitive corporate information that may be stored on third party’s IT networks as well.
Moreover, this is Unicredit’s second reported data loss incident that occurred through a third party. Poorly managed companies tend to do a poor job at managing their technology. And while Unicredit has been subject to macro pressures for many years, it reports that it has spent 2.4b euros on ‘upgrading and strengthening its IT systems and cybersecurity’ since 2016. But having the latest and greatest security hardware and software alone does not correlate to better security outcomes. The people and processes that underpin a company’s cyber governance play a decisive role. Based on the known facts (as of today), Unicredit IT systems do not appear to have come into play in the breach, but oversight of a third-party with valuable company data did.