Garante per la protezione dei dati personali (Italy) - 9991020

From GDPRhub
Garante per la protezione dei dati personali - 9991020
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Article 34 GDPR
Type: Investigation
Outcome: Violation Found
Started: 22.10.2022
Decided: 08.02.2024
Published: 08.03.2024
Fine: 2,800,000 EUR
Parties: UniCredit S.p.A.
National Case Number/Name: 9991020
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: lm

The DPA fined a controller € 2.8 million for making personal data available in responses to all authentication attempts, including unsuccessful ones, and failing to prevent customer use of simple PINs.

English Summary

Facts

On 22 October 2018, UniCredit S.p.A. ("controller") notified the Italian DPA of a personal data breach that occurred on 21 October 2018. The breach occurred due to a cyberattack on the controller’s mobile banking portal for customers. Third parties tried to access customer accounts by attempting automatically-generated simple PINs.

The mobile banking portal had two vulnerabilities that facilitated the breach. First, the portal made customers’ personal data (first name, surname, tax code, and internal bank identification code) available in HTML responses to authentication attempts, including where attempts were unsuccessful. Second, the controller did not limit the use of simple PINs, making accounts vulnerable to cyberattacks aimed at identifying customer login information (brute force attacks).

Due to the HTML response vulnerability, every login attempt gave cyber attackers access to the names, tax codes, and internal bank identification codes of 777,765 present and former customers. In the case of 6,959 of those customers, the cyber attackers also successfully identified the portal PINs. The controller subsequently blocked the identified PINs. The breach did not include the data subjects’ banking data.

The controller did not consider the breach high-risk pursuant to Article 34 GDPR. It posted a general notice on its website and gave direct notice only to the 6,959 data subjects whose passwords were identified. The DPA disagreed, finding the breach likely to present a high risk to data subject rights after a preliminary investigation. On 13 December 2018, it enjoined the controller to communicate the personal data breach to all data subjects. The controller subsequently prepared differentiated notices, which the DPA found complied with Article 34(2) GDPR.

In a defense brief, the controller argued that it took preventive measures and mitigating controls which exceeded market standards at the time of the breach. Additionally, the controller argued that the breach occurred as a result of its data processor’s negligence. The processor was charged with carrying out vulnerability tests on the controller’s mobile webpage and application. Though it became aware of the mobile portal’s vulnerabilities on 19 October 2018 and identified them as high-level, the processor did not report these to the controller until 22 October 2018.

Holding

The DPA rejected the controller’s defense and found that it infringed Articles 5(1)(f), 32(1) and 32(2) GDPR. First, it noted that making personal data available to anyone attempting authentication regardless of success is intrinsically risky in the banking sector, where identified customers may be targeted in phishing attempts or similar attacks. Second, the DPA found that the controller’s failure to prevent simple PINs was a high-risk oversight given the frequency of simple brute force cyberattacks in the financial system. The DPA did not consider the processor’s actions in determining that the controller violated Article 5(1)(f), 32(1), and 32(2) GDPR.

The DPA issued a € 2,800,000 fine. In doing so, it balanced the large number of data subjects, previous DPA measures resulting from a prior data breach by the controller, and the loss of confidentiality with the controller’s cooperation during the DPA’s investigation, the exclusion of bank data from the breach, and the steps taken to mitigate the breach.

The DPA did not issue other corrective measures, taking into account the controller’s mitigations immediately after the breach and the lack of consumer complaints pursuant to Article 77 GDPR.

Comment

The DPA did not consider the processor’s actions in determining that the controller violated Article 5(1)(f) and Article 32 GDPR. However, the processor, NTT Data Italia S.p.A. was the subject of a separate ruling by the DPA and was fined € 800,000 for violations of Articles 28(2) and 33(2) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Provision of 8 February 2024

Register of measures
n. 65 of 8 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, the lawyer. Guido Scorza and Dr. Agostino Ghiglia, members, and Dr. Claudio Filippi, deputy general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, no. 196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter “Code”);

GIVEN the violation of personal data notified to the Authority on 22 October 2018, pursuant to art. 33 of the Regulation, by UniCredit S.p.a. relating to a cyber attack on the online banking system for the mobile web channel;

EXAMINED the documentation in the documents;

GIVEN the observations made by the deputy general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

SPEAKER Dr. Agostino Ghiglia;

PREMISE

1. Violation of personal data and investigative activity.

1.1. The investigation against UniCredit S.p.a.

On 22 October 2018, UniCredit S.p.a. (hereinafter “UniCredit” or “the Bank”) has notified the Guarantor, pursuant to art. 33 of the Regulation, the violation of personal data occurred following a cyber attack on the online banking system for the mobile web channel (hereinafter "Mobile Banking Portal") which resulted in the illicit acquisition of some personal data of customers (in particular, name, surname, tax code and internal identification code of the bank, with the exclusion of their bank details).

In particular, the Bank represented that the first attempts at unauthorized access were carried out in the period between 11 and 20 October 2018 and that the cyber attack took place on a massive scale on 21 October 2018, the date on which the Bank, having detected a large number of login attempts to the mobile banking site, it immediately proceeded with the notification pursuant to art. 33 of the Regulation, specifying that:

“the attack was implemented through the massive use of sequential codes to identify which of them corresponded to actually existing REB codes (personal identification code for access to the online banking system)”;

the violation involved "731,519 REB codes, of which [...] 6,859 are those blocked by the bank because the password had been identified";

"some personal data of customers (only name, surname, tax code and bank identification code) were visible in the response code to the query, while it does not appear that there was access to the customers' banking data nor that any operations were carried out" .

With a subsequent note dated 16 November 2018, the Bank, in response to a request for information formulated by the Office on 9 November 2018, also specified that:

“the attack, coming from an anonymized network (TOR), with the aim of masking the real IP address of the attacker, had the objective of enumerating a series of customers using a fixed password”;

"an application condition allowed the return of information even in the event of failed authentication, and therefore when the REB Code entered corresponded to a customer, regardless of whether the password was the correct one, name and surname, tax code and NDG were returned, which is an internal identification code, assigned to each customer when it is entered into the [...] IT systems [of UniCredit S.p.a.]. For the 6,859 customers, who had a "weak" password used by the attackers [...], the "password" was also identified;

“the immediate technological response, which occurred following the identification that gave rise to the security incident, consisted of blocking individual connections coming from an anonymized network (TOR) and having the characteristics of the cyber attack”; in addition to this, a quantitative blocking of connections that exceed a critical threshold for a defined time interval has been implemented and an IT mechanism (captcha) aimed at human identification of the user who carries out the Login request, with the aim of blocking connections automatic or computer scripts". [...] a mechanism is being implemented to force the use of complex passwords by users, which will be available in production starting from November 23rd and which with subsequent releases will cover the entire bank's customers";

in the case in question the Bank, "not recognizing the "high risk" referred to in the art. 34 of the Regulation and in consideration of the large number of interested parties, published a press release on its website" and "instead, notified those customers whose password had been blocked because it had been identified by the attackers, and which amounted to 6,859".

In light of an overall examination of the circumstances represented by the Bank, the Authority considered that the violation of the personal data in question, unlike the assessment carried out by the Bank, was likely to present a high risk for the rights and freedoms of natural persons ( condition for which communication to interested parties is required) and, therefore, with provision no. 499 of 13 December 2018 (web doc. no. 9076378) ordered UniCredit, pursuant to art. 58, par. 2, letter. e), of the Regulation, to communicate the violation of personal data to all interested parties who have not already been recipients of the communication itself, inviting them to provide adequately motivated feedback regarding the initiatives taken for this purpose as well as regarding the measures adopted to mitigate the negative effects of the violation of personal data on the interested parties.

With a note dated 25 January 2019, the Bank, in describing the methods and timing with which it implemented the provisions issued with the aforementioned provision no. 499, specified that it had prepared differentiated communications for customers and former customers (a copy of which it attached) whose content was found to comply with the provisions of the art. 34, par. 2, of the Regulation.

With the same note, UniCredit also communicated that, following further analyzes carried out in order to identify the interested parties to whom notification of the violation had occurred, it emerged that the number of subjects involved was higher than that initially identified (for a total number of 777,765 customers and former customers); the Bank also specified that it had introduced an enforcement mechanism for passwords used by users, initially aimed at customers involved in the violation of personal data and progressively extended to all customers by March 2019.

Following subsequent in-depth investigations (see request for information dated 1 February and 12 April 2019), the Bank provided further clarification elements (see notes dated 26 February and 3 May 2019) based on which, also in light of of the documentation acquired in the documents, it was found that:

a) at the time of the violation of personal data, with regard to the security of processing within the mobile banking portal, the technical and organizational measures referred to in art. 32 of the Regulation consisted of:

1. “login protected by username and password delivered separately to the customer in the branch;

2. account blocking after entering three incorrect passwords;

3. blocking of credentials identified in online data leaks by […] intelligence/anti-fraud services;

4. possibility for the customer to subscribe to a service via SMS (premium SMS) for notification of activities such as online accesses, changes in PIN and personal data carried out by the Bank via the internet;

5. protection of sensitive transactions and activities (e.g. modification of personal data) by requesting an additional One Time Password (OTP);

6. behavioral analysis and transaction monitoring to identify fraud to the detriment of customers;

7. execution of periodic VA/PT […] on the internet/banking infrastructure and application;

8. web application firewall (WAF) to protect against possible web attacks (e.g. sql injection)” (see note dated 26 February 2019, pp.1-2);

b) in the period between "1 October 2018 and 22 October 2018, a Penetration Test was underway on the Mobile Site system (site and APP for mobile devices)" whose execution had been entrusted to the company NTT Data Italia S.P.A. (hereinafter “NTT Data”) on the basis of an agreement stipulated on 5 June 2017 with UniCredit Business Integrated Solutions S.c.p.a. (now UniCredit Services S.c.p.a., hereinafter “UBIS”) having as its object the provision of “Banking Application Penetration Test & Vulnerability Assessment” services. As part of this agreement, NTT Data was designated by UniCredit as data controller - pursuant to the then current art. 29 of the Code - receiving precise instructions from the same to follow, including:

the express prohibition on entrusting the partial or total execution of vulnerability assessment and penetration testing activities to third parties (see paragraph 14 of the agreement);

where, for the execution of certain activities, the use of a third party is necessary, the obligation to inform the owner so that the same can, after evaluating his experience, skills and reliability, designate him as responsible of the treatment;

the obligation, in the event of detection of vulnerabilities with critical or high level severity, to immediately inform the owner in order to allow the same to quickly remove such vulnerabilities (see Annex 3 of the agreement);

c) NTT Data, in carrying out the above activities, deemed it necessary to avail itself of the collaboration of another entity, Truel IT S.r.l. (hereinafter "Truel IT"), which, with a deed of appointment dated 17 September 2018, was designated as sub-processor, in the absence, however, of prior written authorization from UniCredit;

d) on 19 October 2018 NTT Data became aware of two vulnerabilities with high level severity (“User Data disclosure” and “Lack of Reverse Bruteforce Protection”) through Truel IT – which sent it the draft report containing the results of the Vulnerability Assessment and Penetration Testing activities - and informed UniCredit only on 22 October 2018.

1.2. The investigation against NTT Data Italia S.p.a..

With a note dated 15 May 2019, the Authority formulated a request for information from NTT Data which, with communications dated 24 and 27 May 2019, specified that "the Penetration Test and Vulnerability Assessment activities were conducted from 1 to 26 October 2018 according to the following timing:

the execution of the tests [...] was carried out from 1 to 12 October 2018;

the analysis of the results, the removal of false positives, the assessment and classification of vulnerabilities, the drafting of the technical report and sending the same draft report to the customer from 13 to 22 October 2018;

further refinements to the technical document regarding the vulnerabilities detected from 22 to 26 October 2018, with the final report being sent to the customer on 26 October 2018".

NTT Data also provided a copy of the technical reports containing the results of the aforementioned vulnerability assessment and penetration testing activities (both in the draft and final versions) which illustrate ten vulnerabilities detected by Truel IT, including two vulnerabilities with severity of high level:

the first vulnerability, of the "User Data Disclosure" type, allowed the enumeration of all the valid User IDs (consisting of 8 decimal digits) for accessing the mobile banking portal and the acquisition of some personal data (such as the name, surname and the tax code) associated with these User IDs even without knowing the relevant PIN (consisting of 8 decimal digits);

the second vulnerability, of the "Lack of Reverse Bruteforce Protection" type, allowed an unlimited number of authentication attempts to be made to the mobile banking portal with always different User IDs, without being blocked; in this scenario, an attacker could try to identify valid User ID / PIN pairs, for example trying particularly "weak" PINs such as "00000000" or "12345678".

NTT Data also stated that it "became aware of the "User Data disclosure" vulnerability on 19 October 2018 with the sending of the draft report by Truel IT S.r.l." which, for its part, had identified the two vulnerabilities described respectively on 10 October 2018 (the first) and the immediately following day (the second); in the same note NTT Data also highlighted how "typically the potential vulnerabilities of a system are detected during the Penetration Test activities" and that "this detection, however, requires, for the purposes of a risk assessment of the same and, therefore, of timely communication to the customer, the execution of further analysis activities (elimination of false positives) and classification (high, medium and low) and suggested remediation".

For this reason, it carried out, "as per practice, its own analysis of the data received and a further evaluation of the classifications of all 10 vulnerabilities detected" and, only upon completion, did it communicate this to UniCredit "on 22 October 2018 at 10:00 CEST”.

Lastly, NTT Data specified that "the detection [...] of the vulnerabilities in question could not and did not determine the knowledge/detection by NTT DATA Italia of the violation of personal data".

2. The initiation of the procedure for the adoption of corrective and sanctioning measures and the deductions of UniCredit S.p.a.

As a result of the in-depth investigations described above, characterized by a high complexity of the technological profiles (see technical report of 10 December 2019), the Office highlighted the critical issues encountered, regarding compliance, by the owner and of the data controller, of the obligations regarding the protection of personal data.

In particular, from the analysis of the documentation acquired in the documents and of the declarations made by the data controller (for which the same is responsible pursuant to art. 168 of the Code, "Falseness in declarations to the Guarantor and interruption of the execution of the tasks or of the 'exercise of the powers of the Guarantor") it was ascertained that the technical and organizational measures referred to in art. 32 of the Regulation adopted by UniCredit within the mobile banking portal (see par. 1.1) presented the following critical issues:

the mobile banking portal, due to a so-called "application condition", made available within the returned HTML code, even in the event of failed authentication attempts, some personal data (name, surname, tax code, NDG) of UniCredit customers and former customers who, therefore, they were capable of being freely consulted and acquired by anyone;

As part of the IT authentication procedure for users of the aforementioned portal, no mechanism capable of effectively countering brute force attacks conducted through the use of the so-called. bots (computer programs that access websites through the same channel used by human users, simulating their operations).

Taking the above into account, the Office, with a note dated 5 February 2020, notified UniCredit S.p.a., data controller, of the start of the procedure for the adoption of the measures referred to in the articles. 58, par. 2, and 83 of the Regulation, in compliance with the provisions of the art. 166, paragraph 5, of the Code, in relation to the alleged violation of the principle of integrity and confidentiality and of the processing security obligations referred to in the articles. 5, par. 1, letter. f), and 32, pars. 1 and 2 of the Regulation.

With the same note, UniCredit was invited to produce defensive writings or documents or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, law no. 689 of November 24, 1981).

On 5 March 2020, the Bank sent a detailed defense statement (accompanied by annexes), which is referred to in its entirety here, with which, in formulating a request for a hearing, it asked the Authority to evaluate "how in light of the conducted [...] before and immediately after the data breach, [...] a possible sanction would appear to be completely unjustified", especially since "no evidence was provided of any damage suffered by the interested parties whose personal data were subject of the violation".

In particular, the Bank highlighted that:

a) “on 21 October 2018, UniCredit's internal control systems detected a cyber attack perpetrated by unidentified third parties (the "Hackers") [...] which resulted in the possibility of viewing, in relation to some users, some data [...] without there having been any evidence of actual viewing, much less of collection, extraction or copying of the same by hackers"; […] “following the attack, the Company promptly took measures to block the violation of personal data and the following day sent a specific notification of the data breach to the Guarantor, providing details on the incident and informing the Guarantor to be about to communicate the violation of personal data to the interested parties whose account had been blocked"; on the following 16 November 2018, the Bank provided further details regarding the violation that occurred as well as regarding the measures adopted in order to mitigate the risk for the interested parties;

b) “UniCredit represents one of the largest banking groups operating at a European level. […] In light of the important position held and with a view to responsible corporate management, the protection and security of its customers' data are an absolute priority for UniCredit [...] as proven by the circumstance that in the context of the recent plan industrial Transform 2019 the group has invested 2.3 billion euros to further improve and make its IT systems increasingly secure [...]. However, the financial system's exposure to risks is such that even the most advanced security measures are not able to exclude any and all hypotheses of cyber attacks in any case. In particular, as widely represented by the most authoritative sources on cyber security, in 2018 there was a notable increase in terms of the evolution of "cyber" threats and the related impacts from both a quantitative and qualitative point of view [...]. The statistics also show how 2018 was the year in which there was a significant evolution linked to APT (Advanced Persistent Threat) type attacks. These attacks, aimed at specific subjects, are becoming increasingly more advanced and sophisticated and extensively use massive techniques which inevitably lead to the manifestation of system weaknesses. Therefore, even the most advanced security systems, despite being constantly updated, are not immune from the risk of being the subject of attacks because the sophistication and sudden evolution of the ways in which they are executed makes it effectively impossible to adopt measures that are able to protect against every possible type of cyber attack. This is absolutely relevant in the present case: the occurrence of a data breach does not in itself prove the violation tout court of the principle of integrity and confidentiality pursuant to art. 5, par. 1 letter f) of the Regulation, nor the failure to adopt security measures appropriate to the risk pursuant to art. 32 of the Regulation. In fact, as noted by authoritative doctrine, the guarantee of adequate safety can be interpreted not only as a preventive measure with respect to any harmful events, but also as an ex post intervention to remedy the anomalies found. In fact, it will be demonstrated below that the measures adopted by UniCredit at the time the data breach occurred, together with those adopted promptly following its occurrence, were adequate for the level of risk and the state of the art at the time of the data breach. breach and therefore compliant with the provisions of the legislation on the protection of personal data. On the contrary, it is not possible to dispute with respect to events that occurred in 2018, the lack of security measures that would be adequate in 2020 because in the IT security sector two years of difference represent a huge change in the applicable standards";

c) as regards the "critical issues" identified by the Guarantor, it was further clarified (also through documentary attachments) that "at the time of the attack, UniCredit adopted the following security measures:

automatic blocking of the user account after entering four incorrect passwords;

adoption of protected log-in via access credentials delivered separately to users in the branch;

blocking of compromised credentials identified in online data leaks by intelligence/anti-fraud services;

availability of a notification service via SMS of activities such as online accesses to your account, changes to your PIN and personal data made by the bank or via the Internet;

protection of sensitive transactions and activities such as modifications of personal data via double authentication mechanism (One Time Password);

adoption of monitoring tools to identify fraud attempts to the detriment of customers;

execution of periodic vulnerability assessments and penetration tests (“VA-PT”), at least annually, on assets identified as critical, including the internet banking infrastructure and applications through certified market-leading third parties, on a rotational basis to guarantee the maximum effectiveness and impartiality of the tests and following a methodology for carrying out the security assessment tests of IT assets [...] which required compliance with certain international standards in their execution, such as the OWASP standard, recognized as the state of sector art by the National Cybersecurity Laboratory, and the carrying out of scans of the IT infrastructure and further testing techniques in case of VA-PT based on potential vulnerabilities identified, such as password cracking and social engineering;

execution of periodic vulnerability assessments through automatic scanning tools on assets exposed on the Internet, Extranet and Intranet, and processing of the related reports;

carrying out vulnerability tests on payment systems through ad hoc red teams;

implementation of web application firewalls to protect against possible web attacks, such as injections of SQL code.

In addition to the above [...] the fraud prevention and fraud detection systems adopted at the time of the facts were statistically among the best performing and most effective on the market, with a percentage of prevented frauds equal to 98.6% (compared to 96% 5% of the market) as clarified by the Italian Financial CERT […]. Furthermore, each IT vulnerability identified was managed in accordance with a procedure (Security Vulnerability Management [...]) which required the observance of certified processes pursuant to the international standard ISAE 3402 and the use of the risk control system referred to in the international standard ISO 27001. Furthermore, in October 2017, UniCredit had already introduced a system for collecting and managing identified vulnerabilities, similar to that used by the audit functions, with constant risk monitoring carried out by the various corporate functions in charge. Furthermore, in 2018 with the beginning of the full applicability of the Regulation, UniCredit further strengthened its procedures by introducing an immediate reporting obligation in the event of High and Critical vulnerabilities identified, with evidence management in the field of security incidents for which, in in more serious cases, in order to safeguard data and infrastructure, the preventive closure of the system involved was envisaged until the identified problem was resolved. Therefore, the system of security measures already adopted by UniCredit at the time of the data breach consisted of a series of preventive measures aimed at avoiding violations and a series of checks aimed at identifying any vulnerabilities of the company's IT systems which, in the opinion of the bank, represents the only approach capable of effectively reducing the risk of cyber attacks”.

The Bank also represented that the adequacy of the preventive measures compared to the state of the art at the time of the occurrence of the personal data breach was "confirmed by the technical report on security measures [...] produced by the company Reply S.r.l, a leading company in the IT security consultancy sector [...]" according to which the same measures were "substantially in line with what is commonly practiced by other credit institutions for the protection of login functions. In fact, the report highlights that solutions such as two factor authentication or CAPTCHA on login functions were not adopted by the majority of Italian credit institutions to protect login procedures at the time of the violation. Two factor authentication became a standardized and recognized authentication method only starting from 14 September 2019 following the entry into force of the European Payment Services Directive (PSD2), but - in anticipation of the regulatory obligation - UniCredit was already working since July 2017, with the actual rollout taking place between March and May 2019 and therefore a good 4 months before the legal obligation came into force. Compared to the CAPTCHA, it would not have allowed us to completely limit the risk of the attack since, as demonstrated by researchers at Columbia University, even such systems can be circumvented";

d) the Bank therefore highlighted how "carrying out checks aimed at identifying any vulnerabilities is the only solution that allows minimizing the risk of cyber attacks, taking into account that there is no software without bugs. Application bugs are part of the natural life cycle of IT development and their onset is proportionate to the level of complexity of the application's structure. In fact, the process of testing applications for identifying bugs is a dynamic activity that lasts over time and is linked to the evolution of the software, in relation to which bugs could also arise due to use by users" . It follows that "The presence of an application bug in the Portal does not in itself constitute a violation of the principle of integrity and confidentiality and does not demonstrate the absence, nor proof of the inadequacy of the security measures adopted by UniCredit because the presence of Bugs are an intrinsic characteristic of any software and the only way to identify and correct them is to carry out tests such as those carried out by UniCredit. As proof of the awareness of the importance of controls, UniCredit invested over 2 million euros in vulnerability assessment and penetration test activities in the three-year period 2017-2019, with the carrying out of over 500 penetration tests and 1000 vulnerability assessments, while for the An investment of over 3.8 million euros is planned for 2020. The correctness of this approach is confirmed by the fact that the application condition from which the data breach arose was identified during the checks carried out in 2018, but the reason why the data breach was not blocked is due to the late notification of the application condition to UniCredit by NTT DATA Italia S.p.A. who carried out the tests." In particular, "NTT Data - despite having been commissioned by UniCredit during the month of September 2018 to carry out a penetration test and a vulnerability assessment on the Portal - and despite being bound to immediately inform UniCredit in the event of detection of vulnerabilities with severity of critical or high level, acted in violation of its obligations, as expressly regulated in the service contract already produced to the Guarantor [...], failing to immediately transmit the news regarding the detection of the application condition, despite NTT Data having already classified this vulnerability as high on 16 October 2018 […] and therefore 5 days before the attack occurred. In 5 days, UniCredit would have had plenty of time to adopt urgent corrective measures aimed at avoiding the violation of personal data". Therefore, “[…] UniCredit adopted preventive measures and controls that were in line with the state of the art at the time of the data breach, but was the victim of the negligent conduct of NTT Data for which it cannot be held responsible”;

e) as regards the application condition of the Portal (see par. 2, point 1), the same, "unlike what was claimed by the Guarantor, did not make the data "susceptible to being freely consulted and acquired by anyone". In fact, the bug was not visible to anyone who tried to authenticate on the Portal and was only identified following a preliminary phase in which the hackers developed the attack technique through repeated complex access attempts. The attack method adopted by the hackers was characterized by a high degree of sophistication [...] as:

access attempts were conducted using special software aimed at preventing the interception of the origin of communications by inhibiting the analysis of incoming traffic. In fact, such software allows communications to be routed (i.e. attempts to access the Portal) by bypassing the normal transit from client to server and rerouting the connection onto a virtual circuit of layered encrypted routers (so-called onion routers). The use of this technique allows anonymous outgoing traffic and the creation of anonymous services, furthermore the encryption guarantees the so-called perfect forward secrecy, i.e. the total confidentiality of communications even if they are compromised;

the quantity of access attempts carried out starting from 16 October 2018 has been specifically calibrated so as not to exceed ordinary traffic thresholds and avoid being intercepted by UniCredit control systems. In fact, the attackers only made direct access attempts to the page's login "form", avoiding downloading the objects that normally make up the web page (e.g. CSS image, etc.), greatly reducing the overall traffic conveyed by malicious connections. ;

only after having identified the Portal bug through a bug hunting strategy, the hackers launched a massive attack, using specific software capable of allowing the adoption of the reverse brute force method to carry out access attempts, of which however only a small percentage (i.e. less than 16%) allowed potential exposure of customer data;

the hackers also inserted the wrong characters in the access requests forwarded to avoid being intercepted by the application monitoring tool, which in any case led to the detection of the accesses;

the timing chosen denotes a particular malicious intention and confirms the habitual nature of such behavior by hackers; the massive attack was in fact carried out during a public holiday (Sunday 21 October 2018) starting at 06:15 in the morning. Therefore, the scale of the attack, the timing chosen, the software used and the techniques adopted clearly denote that the hackers had huge computational resources at their disposal as well as being equipped with a very advanced level of specialized IT skills. These conditions are not at all common and it therefore appears clear that [...] the bug did not allow free and indiscriminate access to UniCredit customer data, but rather such action could not ignore the availability of complex and advanced skills and resources. This conclusion is confirmed by the Reply report according to which "the security problem is part of a series of vulnerabilities that are difficult to identify by automatic tools, and which are typically identified through manual analyzes conducted by personnel specialized in the security analysis of web applications";

f) in relation to the further criticality identified by the Authority (see par. 2, point 2), the Bank highlighted that, "already before the data breach, it had adopted a prevention system from brute force attacks in the scope of the IT authentication procedure for users of the Portal, i.e. regarding the process of entering the password to perform authentication. The system in fact guaranteed effective protection from attacks conducted by so-called automatic bots because, after four incorrect login attempts, the user was blocked and the attack prevented. Therefore - unlike what the Guarantor believed - the measures adopted by UniCredit made it possible to protect company IT systems from brute force attacks. The type of attack conducted against the Portal cannot be classified as brute force, which as demonstrated above, referring to authentication, was adequately protected, but more precisely as "reverse brute force" since the hackers did not try to identify the password of the users tried as many combinations as possible, but at most they tried to enumerate users' authentication usernames using a trivial fixed password (12*****89). In this context, the adoption of further contrast systems useful to limit or prevent access, or access attempts, coming from the same IP address would not have been effective or practicable considering in particular the peculiar characteristics and habits of UniCredit customers. In fact, there is a high number of customers who use Internet-Mobile banking systems on a daily basis for which the use of the same IP addresses for access is noticeable, also due to the widespread use of so-called carrier grade nat (CGN) due to the known saturation of IPv4 addresses. This is confirmed by the Reply report according to which "this technique has been progressively abandoned due to the increasing use of NAT by mobile and fixed operators (e.g., CGN - Carrier Grade NAT): this tool would therefore risk inhibiting the access to the system to many legitimate users coming from the same public IP used by an attacker”.

Furthermore, "as indicated above, other possible solutions such as two-factor authentication and CAPTCHA were not adopted by the majority of credit institutions at the time of the data breach. In any case, UniCredit had equipped itself with an anti-DDOS (Denial Of Services) protection system which was activated in the event of attacks coming from multiple IP addresses (so-called Botnets or bot networks). However, the sophistication of the methods of exploitation of the Portal bug by hackers made it possible to reduce the total traffic carried, effectively keeping it below the mitigation threshold of the technological solution used, called Akamai Prolexic, inhibiting its ability to detect a volume of traffic and attack characteristics such as to activate mitigation. This further confirms that if the attack had been perpetrated by hackers with a less advanced level of sophistication, it would have been identified and blocked by UniCredit's security systems [...]; what in any case must be underlined is that "the security and risk mitigation measures adopted by UniCredit have proven effective as following the Company's immediate technological response [...] the hackers were unable to continue the attack nor to access the accounts of the interested parties, much less to carry out transactions. The attack merely allowed the possibility of viewing a limited number of personal data, not containing bank data, not belonging to particular categories pursuant to art. 9 or data referred to in art. 10 of the Regulation, and there is no evidence that the Data has been in any way collected, copied or stored by Hackers [...]; […] this shows that – thanks to the measures adopted by UniCredit – the attack did not lead to any theft of personal data”.

In summary, according to Unicredit, the objections raised by the Authority could not have been considered founded, as "UniCredit had adopted adequate security measures in line with market standards in order to effectively counter brute force attacks in scope of the IT authentication procedure for users of the Portal. These measures meant that, even with reference to a reverse brute force attack, the incidence of the same was limited to the maximum, taking into account that in any case if NTT Data had promptly notified the application condition, the attack would have been avoided by All";

g) both immediately after the attack and also in the following days, UniCredit represented that it had implemented security measures and "additional measures largely suitable for further mitigating the risk for the protection of personal data caused by the data breach", including which in particular:

“make a handbook available to all customers for the secure management of access credentials and forward recommendations to the network of branch managers to encourage the dissemination of the indications contained in the handbook;

implement a quantitative blocking of connections beyond the critical threshold and a CAPTCHA, as a further temporary measure in view of the next implementation of two factor authentication;

adopt a mechanism to force the use of complex passwords during sign-in across the entire customer network;

communicate, following the request of the Guarantor, to all interested parties the violation of personal data, including adequate security indications for the management of credentials, also on other sites".

During the hearing, held on 29 September 2020, UniCredit S.p.a., referring to what had already been argued in the defense briefs, requested the dismissal of the sanctioning proceedings, reiterating that:

a) "the security measures adopted by the bank at the time the cyber attack occurred - which can be identified in prevention measures and control measures - were in line with the market standards of the time" and, differently from what the Guarantor believed, "they were able to counter a possible brute force attack";

b) “the analysis conducted following the attack highlighted how the risk of illicit use of the breached data was only potential, considering that the storage of the data was not ascertained [...] nor were unauthorized accesses detected current accounts of the customers involved. Among other things, [...] the personal data subject to the violation concerned name and surname, tax code and NDG code, which in themselves do not allow login to online banking systems or other types of operations";

c) “UniCredit's monitoring systems promptly detected the cyber attack [...] and despite the delay of NTT Data which, in violation of its contractual obligations, did not immediately communicate the vulnerability as soon as it became aware of it, which he then allowed the attack. This delay is due to an acknowledged error on the part of NTT Data in qualifying the severity of the vulnerability and communicating it once correctly qualified, as declared by NTT Data itself [...]. NTT Data had in fact identified the vulnerability 5 days before the attack but notified it to UniCredit only after the incident and following an express request from the Bank. If the vulnerability had been notified promptly, UniCredit would have had time to eliminate it and the incident would not have occurred. Vulnerability assessments carried out through primary suppliers such as NTT Data are among the adequate security measures adopted by UniCredit because there is no bug-free software. The fact that the Vulnerability assessments carried out via NTT Data detected the vulnerability and that the contract with the supplier provided for immediate notification of the same further confirms the adequacy of the security measures adopted by UniCredit";

d) "with respect to the violation of personal data in question, no complaints and/or compensation actions have been received from the interested parties involved".

3. The relevant provisions in relation to the specific case.

The art. 5, par. 1, letter. f), of the Regulation establishes, among the general principles that govern the processing of personal data, that personal data must be "processed in a way that guarantees adequate security of personal data, including protection, through adequate technical and organizational measures, from unauthorized or unlawful processing and from accidental loss, destruction or damage (“integrity and confidentiality”).

The art. 32 of the Regulation (“Security of processing”) also provides, in par. 1, that "taking into account the state of the art and the costs of implementation, as well as the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of individuals physical, the data controller and the data processor implement appropriate technical and organizational measures to guarantee a level of security appropriate to the risk [...]"; the next par. 2 also establishes that "in evaluating the adequate level of security, special account shall be taken of the risks presented by the processing which derive in particular from destruction, loss, modification, unauthorized disclosure or access, in an accidental manner". or illegal, to personal data transmitted, stored or otherwise processed".

4. The Authority's assessments and the outcome of the investigation.

Upon examination of the documentation produced and the declarations made by the data controller during the proceedings, given that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents and is liable pursuant to art. 168 of the Code, this Authority formulates the following conclusive considerations.

In particular, with reference to the technical and organizational measures referred to in art. 32, par. 1, of the Regulation adopted by UniCredit within the mobile banking portal (see par. 1.1, letter a)) and to the objections raised on this point by the Authority (see par. 2, points 1 and 2), in taking note of what was widely illustrated by the credit institute in the defense brief and during the hearing, this Authority notes that:

a) compared to the “so-called application condition which made available within the HTTP (HyperText Transfer Protocol) response, even in the event of failed authentication attempts, some personal data (name, surname, tax code, NDG) of UniCredit customers and former customers who therefore were capable of being freely consulted and acquired by anyone" (see par. 2, point 1), it is clear how to allow access to some personal data of customers and former customers, even without passing an IT authentication procedure , does not comply with the regulations on the protection of personal data.

UniCredit's failure to adopt technical measures capable of limiting access to personal data only to authorized personnel or to the interested party, resulted in the possibility that the personal data were freely accessible by anyone. In fact, such data was made available within the HTTP (HyperText Transfer Protocol) response provided by the Bank's IT systems to the browser of anyone who attempted, even unsuccessfully, to overcome the IT authentication procedure which at the time was present in the Portal. mobile banking.

Without prejudice to the fact that the term "anyone" is intended to indicate any person other than authorized personnel and the interested party, this Authority believes that the considerations made by UniCredit regarding the alleged high technical capabilities necessary to exploit the vulnerability present in the Portal of mobile banking, rather than proving the adequacy of the technical measures adopted by the institution, demonstrate an underestimation of the risks associated with the provision of online banking services. In fact, the financial sector has always represented a primary target for cyber criminals, as also indicated in a document called "Cyber security: the contribution of the Bank of Italy and Ivass", published in August 2018, prepared by the Group of coordination on cyber security (GCSC) of the Bank of Italy and IVASS, which highlights how "already in 2014 a coordinated attack against numerous US banks led, among other things, to the theft of the personal data of 80 million banking customers JP Morgan Chase. In the following years, similar episodes multiplied; almost none of the large private financial institutions remained immune and some central banks were also affected. Attacks on the financial system are sometimes conducted with very simple methods, such as the theft of account access credentials through phishing, or denial of service, which, by overloading servers with millions of simultaneous data requests, makes banking services unusable delivered via network. Other times the intrusions are conducted using complex methods and lead to the theft of funds or data on a large scale. The defense of the financial system is very complex: the sector is highly digitalised, it is interconnected at a global level through a small number of infrastructures that may present vulnerabilities, it is susceptible to attack through possible imprudent behavior of hundreds of millions of users of online financial services";

b) as regards the second aspect under dispute, i.e. the failure to adopt, within the IT authentication procedure of users of the mobile banking portal, any mechanism capable of effectively counteracting brute force attacks conducted through the use of CD. bots (computer programs that access websites through the same channel used by human users, simulating their operations) (see par. 2, point 2), the Authority notes that the IT authentication system adopted by UniCredit at the time – which involved the use of authentication credentials consisting only of a User ID and a PIN, both made up of 8 decimal digits - was open to being the subject of brute force attacks, i.e. cyber attacks with the aim of identifying credentials IT authentication cards valid for access to a specific online system or service. This is also in consideration of the fact that, at the time of the violation, UniCredit had not adopted any technical measure that prevented users from using simple PINs, such as, for example, those composed of repetitions or sequences of numbers or coinciding with the date of birth or with the User ID.

In this regard, it should be highlighted that there are various brute force cyber attacks, such as, for example, simple brute force attacks (aimed at identifying the password or PIN used by a specific user, verifying all possible combinations of letters and numbers) , dictionary attacks (aimed at identifying the password or PIN used by a specific user, verifying the possible combinations present in dictionaries composed of the most common passwords or PINs or of passwords or PINs compromised in the context of other cyber attacks), credential stuffing attacks (aimed at verifying the validity of authentication credentials acquired as part of other cyber attacks), reverse brute force attacks (aimed at identifying users who use a specific password or PIN, often very common or simple) or even a combination of them. In the case in question, an adequate assessment of the risks presented by the processing carried out within the mobile banking portal would have allowed UniCredit to correctly analyze the characteristics of the IT authentication system, to identify the weaknesses likely to compromise the security of the processing and , consequently, to adopt measures to manage and mitigate the risks associated with these weaknesses, including those for proactive defense against reverse brute force cyber attacks.

5. Conclusions: declaration of unlawfulness of the processing. Corrective measures pursuant to art. 58, par. 2, of the Regulation.

For the above reasons, the Authority believes that the declarations made by the data controller in the defense briefs - the truthfulness of which may be called upon to respond pursuant to the aforementioned art. 168 of the Code - although worthy of consideration, do not allow us to overcome the findings notified by the Office with the act of initiating the procedure and are insufficient to allow its dismissal, as, moreover, none of the cases provided for by the art. 11 of the Guarantor's regulation no. 1/2019, concerning the internal procedures of the Authority with external relevance.

In particular, the critical issues presented have highlighted that the violations of personal data which occurred - alongside the considerations regarding the liability profiles of NTT Data, responsible for the processing, which are the subject of a distinct and separate provision of this Authority - were verified as UniCredit S.p.a., data controller to whom "general responsibility" is attributed for the processing of personal data directly carried out or that others have carried out on its behalf - has failed to verify, in relation to the nature, context, purposes and the risks of the processing carried out within the home banking portal, their effective compliance with the principles of integrity and confidentiality referred to in art. 5, par. 1, letter. f), of the Regulation and of the obligations regarding the security of processing referred to in the art. 32, par. 1 and 2 of the Regulation.

However, taking into account what was declared by the Bank during the proceedings, regarding the implementation, immediately after the violation, of security measures and "additional measures largely suitable for further mitigating the risk for the protection of personal data caused from the data breach” (see par. 1.1, letter g)) as well as the fact that, following the event, no complaints were received pursuant to art. 77 of the Regulation by subjects affected by the violation, this Authority, in exercising the corrective powers attributed by the art. 58, par. 2 of the Regulation, believes it is not necessary to order corrective measures pursuant to art. 58, par. 2, letter. d), and provides for a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i)).

6. Injunction order.

Violation of the provisions mentioned above entails the application of the administrative sanction provided for by the art. 83, par. 4, letter. a), and 5, letter. a), of the Regulation.

In this regard, it is noted that the violation of art. 32 of the Regulation, as it refers to the failure to adopt safety measures implementing a principle included in the provision, of general scope, referred to in art. 5 of the Regulation and concerning the "integrity and confidentiality" of the data being processed (art. 5, par. 1, letter f), of the Regulation) will be assessed overall in the context of the violation of the aforementioned regulatory provision with consequent application of the only sanction provided for in the art. 83, par. 5, letter. a), of the Regulation.

This provision, in setting the statutory maximum in the sum of 20 million euros or, for companies, in 4% of the annual worldwide turnover of the previous financial year whichever is higher, specifies the methods for quantifying the aforementioned sanction, which must "in any case [be] effective, proportionate and dissuasive" (art. 83, par. 1 of the Regulation), identifying, for this purpose, a series of elements, listed in the art. 83, par. 2 of the Regulation, to be assessed when quantifying the relevant amount; in fulfillment of this provision, in this case, the circumstances reported below are relevant:

a) with reference to the nature, severity and duration of the violation (art. 83, par. 2, letter a), of the Regulation) the loss of confidentiality that occurred due to a data violation was taken into consideration personal data determined by the failure to comply with general principles relating to security measures (art. 5, par. 1, letter f), and 32 of the Regulation), as well as the circumstance that the violation affected an extremely significant number of interested parties;

b) with reference to the intentional or negligent nature of the violations and the degree of responsibility of the owner (art. 83, par. 2, letters b) and d), of the Regulation), the behavior of the data controller who has not complied with the regulations on the protection of personal data in relation to the general principles regarding security measures for processing;

c) with reference to the adoption, by the owner, of measures aimed at mitigating the damage suffered by the interested parties (art. 83, par. 2, letter c), of the Regulation), the various information initiatives were considered positively and support provided to customers affected by the violation of personal data from the day the incident was detected, also in compliance with the Authority's provision no. 499 of 13 December 2018; the implementations of the security measures adopted immediately after the event must be evaluated equally positively (see point 1.1, letter g));

d) the existence of previous measures by the Authority against the owner adopted also following another violation of personal data (art. 83, par. 2, letter e), of the Regulation);

e) active collaboration with the Authority, also with regard to the reconstruction of events and relations with the data controller (art. 83, par. 2, letter f), of the Regulation);

f) with reference to the categories of personal data affected by the violation (art. 83, par. 2, letter g) of the Regulation), it was considered that the common data of the interested parties were subject to the violation, with the exclusion of banking data.

In consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness (art. 83, paragraph 1, of the Regulation) which the Authority must comply with in determining the amount of the sanction, the economic conditions of the offender were taken into consideration, determined based on the revenues achieved referring to the financial statements for the year 2022.

On the basis of the aforementioned elements, evaluated as a whole, it is considered to determine the amount of the pecuniary sanction in the amount of 2,800,000 euros (two million eight hundred thousand) for the violation of the articles. 5, par. 1, letter. f), and 32, par. 1 and 2 of the Regulation.

In this framework, also in consideration of the type of violation ascertained, which concerned the principles of protection of personal data, it is believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's regulation no. 1/2019, this provision must be published on the Guarantor's website.

Finally, it is noted that the conditions set out in art. 17 of regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THE WHEREAS, THE GUARANTOR

declares, pursuant to articles. 57, par. 1, letter. f), and 83 of the Regulation, the illegality of the processing carried out, within the terms set out in the motivation, for the violation of the articles. 5, par. 1, letter. f), and 32, par. 1 and 2 of the Regulation.

ORDER

to UniCredit S.p.a., with registered office in Milan, Piazza Gae Aulenti, 3, C.F./P.I. 00348170101, pursuant to art. 58, par. 2, letter. i), of the Regulation, to pay the sum of 2,800,000 (two million eight hundred thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision;

ORDERS

to the same UniCredit S.p.a. to pay the sum of 2,800,000 (two million eight hundred thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

We represent that pursuant to art. 166, paragraph 8, of the Code, the right remains for the violator to settle the dispute through the payment - always according to the methods indicated in the annex - of an amount equal to half of the sanction imposed within the deadline referred to in the art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.

HAS

pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Guarantor's Regulation no. 1/2019, the publication of this provision on the Guarantor's website and believes that the conditions set out in the art. 17 of regulation no. 1/2019.

Pursuant to art. 78 of the Regulation, as well as articles. 152 of the Code and 10 of Legislative Decree 1 September 2011, n. 150, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 8 February 2024

PRESIDENT
Stantion

THE SPEAKER
Ghiglia

THE DEPUTY SECRETARY GENERAL
Philippi