Italy’s largest bank UniCredit has been the victim of a security breach due to unauthorised access through an Italian third-party provider to customer data – with up to 400,000 customers potentially affected.

The incident is confined to Italy and relates to personal loans only. The bank says a first breach seems to have occurred in September and October 2016 and a second breach which has just been identified in June and July 2017.

UniCredit says data of approximately 400,000 customers in Italy is assumed to have been impacted during these two periods. No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected, whilst some other personal data and IBAN numbers “might have been accessed”.

The bank has launched an audit and has informed all the relevant authorities. It will also file a claim with the Milan Prosecutor’s office. The bank has also taken unspecified remedial action to close this breach.

It won’t be any consolation to its affected customers, but UniCredit says, as part of its Transform 2019 programme, it is investing €2.3 billion in upgrading and strengthening its IT systems.

Clear to test

Recently, UniCredit started testing with RT1, EBA Clearing’s pan-European, real-time payment platform. This test phase is a “key milestone” for UniCredit in its preparations to roll out euro instant payment products to its customer base across Europe.

UniCredit customers in Italy and Germany will be the first to use this new payment method, starting from November 2017 onwards.


In December last year, the bank said it plans to raise €13 billion and axe 14,000 jobs over the next two years as it looks to get its finances in order.

Along with the job cuts, which amount to about 11% of its workforce, UniCredit will shut down about 25% of its 3,800 branches. It also aims to use the record rights issue to remove around €17.7 billion of bad debt from its balance sheet and improve profitability.