UniCredit S.p.A. – €800,000 Fine (Italy, 2024)

On 22 October 2018, UniCredit S.p.A. ("controller") notified the Italian DPA of a personal data breach that occurred in the period between 11 October to 21 October 2018. The breach occurred due to a cyberattack on the controller’s mobile banking portal for customers. Third parties tried to access customer accounts by attempting automatically-generated simple PINs. The mobile banking portal had two vulnerabilities that facilitated the breach. First, the portal made customers’ personal data (first name, surname, tax code, and internal bank identification code) available in HTML responses to authentication attempts, including where attempts were unsuccessful. Second, the controller did not limit the use of simple PINs, making accounts vulnerable to cyberattacks aimed at identifying customer login information (brute force attacks). Due to the HTML response vulnerability, every login attempt gave cyber attackers access to the names, tax codes, and internal bank identification codes of 777,765 present and former customers. In the case of 6,959 of those customers, the cyber attackers also successfully identified the portal PINs. The controller subsequently blocked the identified PINs. The breach did not include the data subjects’ banking data. The controller did not consider the breach high-risk pursuant to Article 34 GDPR. It posted a general notice on its website and gave direct notice only to the 6,959 data subjects whose passwords were identified. The DPA disagreed, finding the breach likely to present a high risk to data subject rights after a preliminary investigation. In a defense brief, the controller argued that the breach occurred as a result of NTT Data Italia S.p.A.’s negligence ("processor"). The processor was charged with carrying out vulnerability tests on the controller’s mobile webpage and application together with Truel IT S.r.l. ("sub-processor"). The sub-processor was engaged without prior written authorization from the controller and was the one that