Unicredit S.p.A. – €600,000 Fine (Italy, 2020)

Between April 2016 and July 2017, Unicredit S.p.A., one of the major banking groups in Italy, suffered two data breaches to its system, which affected the personal data of more than 700.000 customers. In July 2017 the Bank informed the Italian DPA, as well as all the customers involved, about the data breaches. The DPA immediately started a proper investigation on it and found that the breaches were caused by the use of employees' credentials of a financial partner, Penta Finanziamenti Italia S.r.l., through a software called Speedy Arena. It is still not clear whether the breaches were directly caused by the partner's employees or the mentioned credentials had been stolen and used by an external third party. After the bank admitted that unauthorized access to customers' personal data had been carried out, its first defence was to demonstrate that it put in place all the technical and organisational measures to prevent these kinds of breaches, therefore no fines should be imposed, or at the least, it should be the legal minimum. The financial partner argues that they had limited access to the files of the Unicredit's customers and that they had different security measures in place to prevent these incidents. After its investigation, the Garante had to state whether the mentioned security measures were effective and in line with the data protection law in place at the time. Although the bank noted that a particular effort was made in the security field, the Garante highlighted that the breaches occurred due to a lack of security measures in place adopted by Unicredit on the implementation of 'Speedy Arena' and a lack of proper access control, level of permission and authorization given to the employees of the financial partner, Penta Finanziamenti Italia S.r.l.. The Garante noted the absence of specific control by the bank over the work of the financial partner, which potentially had the chance to have access to a large amount of information by only using the fil