On March 7, 2024, the Italian data protection authority (Garante) announced in its newsletter decision n. 65 of February 8, 2024, in which it imposed a fine of €2.8 million on UniCredit S.p.A. for violations of the General Data Protection Regulation (GDPR). Background to the decision On October 22, 2018, UniCredit notified the Garante of a data breach following a cyberattack on the online banking system for the mobile web channel which resulted in the illicit acquisition of the personal data of some customers. The personal data acquired included customer names, surnames, and the tax code and internal identification code of the bank, with the exclusion of the customer's bank details. UniCred
News
Italy: Garante fines UniCredit €2.8M for GDPR violations
March 11, 2024
Summary
The Italian data protection authority, Garante, fined UniCredit S.p.A. €2.8 million for GDPR violations after a cyberattack on October 21, 2018, led to the unauthorized acquisition of customers' personal data. UniCredit reported the breach, which included names, surnames, tax codes, and internal identification codes, but not banking details. A subsequent investigation into NTT DATA Italia, responsible for UniCredit's security assessments, revealed unauthorized subcontracting. The Garante's decision cited UniCredit's failure to ensure data integrity and confidentiality, and inadequate access restrictions, but acknowledged no complaints from affected customers and immediate post-breach security improvements.