Garante per la protezione dei dati personali - 9429195

From GDPRhub
Garante per la protezione dei dati personali - 9429195
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 32 GDPR
DPA guidelines on banking sector
Italian Data protection Code (D.lgs. 196/2003)
Type: Investigation
Outcome: Violation Found
Decided: 10.06.2020
Published: 10.06.2020
Fine: 600000 EUR
Parties: Unicredit S.p.A.
National Case Number/Name: 9429195
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Ordinanza ingiunzione nei confronti di UniCredit S.p.A. - 10 giugno 2020 [9429195 (in IT)]
Initial Contributor: Andrea Spataro

The Italian DPA imposed a fine of 600.000€ on a bank, Unicredit S.p.A. for two data breaches that it suffered between April 2016 and July 2017, which exposed common and financial data of 762.000 customers. The Data controller did not process personal data in a manner that ensured appropriate security of personal data, namely protection against unauthorised processing from a third party, and it did not follow the specific guidelines established for the banking industry regarding the log tracking.

English Summary[edit | edit source]

Facts[edit | edit source]

Between April 2016 and July 2017, Unicredit S.p.A., one of the major banking groups in Italy, suffered two data breaches to its system, which affected the personal data of more than 700.000 customers. In July 2017 the Bank informed the Italian DPA, as well as all the customers involved, about the data breaches. The DPA immediately started a proper investigation on it and found that the breaches were caused by the use of employees' credentials of a financial partner, Penta Finanziamenti Italia S.r.l., through a software called Speedy Arena. It is still not clear whether the breaches were directly caused by the partner's employees or the mentioned credentials had been stolen and used by an external third party.

Dispute[edit | edit source]

After the bank admitted that unauthorized access to customers' personal data had been carried out, its first defence was to demonstrate that it put in place all the technical and organisational measures to prevent these kinds of breaches, therefore no fines should be imposed, or at the least, it should be the legal minimum. The financial partner argues that they had limited access to the files of the Unicredit's customers and that they had different security measures in place to prevent these incidents. After its investigation, the Garante had to state whether the mentioned security measures were effective and in line with the data protection law in place at the time.

Holding[edit | edit source]

Although the bank noted that a particular effort was made in the security field, the Garante highlighted that the breaches occurred due to a lack of security measures in place adopted by Unicredit on the implementation of 'Speedy Arena' and a lack of proper access control, level of permission and authorization given to the employees of the financial partner, Penta Finanziamenti Italia S.r.l.. The Garante noted the absence of specific control by the bank over the work of the financial partner, which potentially had the chance to have access to a large amount of information by only using the file number of the bank customer.

Secondly, the bank did not properly follow the Guidelines specifically designed for the banking sector, which explicitly requires banks to track and retain all of the logs related to banking transactions of the customers' files and to keep them at least for 24 months. In particular, the DPA found that the logs register did not keep a record of the customer reference number, but only of the file number, and that the retention period was lower than the 24 months established by the Guidelines.

Lastly, the bank did not set proper security alerts in the event of anomalous access requests made through the application, in particular in the event of a high volume of requests.

As a result, the Italian DPA sanctioned the bank and imposed different fines (for a total amount of 600.000€) for the different violations described above.

Comment[edit | edit source]

The fine was applied following the legislation pre-GDPR, owing to the fact that the breaches and the following notification to the DPA took in place between 2016 and 2017.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

The decision below is a machine translation of the ***Italian*** original. Please refer to the ***Italian*** original for more details.

Injunction order against UniCredit SpA - June 10, 2020

Register of measures
n. 99 of 10 June 2020

GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, in which dr. Antonello Soro, president, Dr. Augusta Iannini, vice-president, Dr. Giovanna Bianchi Clerici and Prof. Licia Califano, members and Dr. Giuseppe Busia, secretary general;

GIVEN the law 24 November 1981, n. 689, and subsequent amendments and additions, with particular reference to art. 1, paragraph 2;

NOTING that the Guarantor's Office, with act no. 15976/119444 of 14 May 2019 which must be considered fully referred to here, contested UniCredit SpA (hereinafter "the Company"), in the person of its pro tempore legal representative, with registered office in Milan, Piazza Gae Aulenti no. 3, PI 00348170101, the administrative violations provided for by articles 162, paragraph 2-bis, 162, paragraph 2-ter, and 164-bis, paragraph 2, of the Code regarding the protection of personal data (Legislative Decree 196/2003, hereinafter called "Code", in the previous formulation to the changes that occurred following the entry into force of Legislative Decree 101/2018), in relation to Articles 33 and 154, paragraph 1, lett. c) of the same Code;

NOTING that, by examining the documents of the sanctioning procedure, initiated with the aforementioned contestation document, it emerged that:

- the Company, on 25 July 2017, informed this Authority that it had undergone a computer intrusion, which occurred at two distinct times in a span of time between April 2016 and July 2017, which resulted in unauthorized access to personal data to about 762,000 interested parties; these abusive accesses were made with the users of some employees of an external commercial partner (the company Penta Finanziamenti Italia Srl, hereinafter "Penta") through an application called Speedy Arena. In particular, it appeared that the data, object of the violation, consisted of: personal and contact data, profession, level of study, identification details of an identification document and information relating to employer, salary, loan amount, status of payment,

- the Office initiated a complex preliminary investigation against the Company, culminating in an inspection that took place on 22, 23 and 24 October 2018;

- upon the outcome of the investigation carried out by the Office, the Guarantor adopted, on 28 March 2019, provision no. 87 (available on www.gpdp.it, web doc. N. 9104006 , hereinafter the "provision"), to which reference is made in full, with which he declared the processing of personal data carried out by Unicredit to be illegal, as of data controller, because carried out in violation of the minimum security measures provided for by articles 33 and following of the Code and the technical specification referred to in All. B) to the Code itself and to the measures prescribed by provision no. 192 of 12 May 2011, containing "Requirements regarding the circulation of information in the banking sector and the tracing of banking operations" (web document n. 1813953 );

- violation of the minimum security measures pursuant to art. 33 of the Code was ascertained with reference to the non-observance of the rules nos. 12 and 13 of the technical specification referred to in Annex B) to the Code, in relation to the use of an unsuitable authorization system of the Speedy Arena application and to the absence of the "access limit" of the authorization profiles to the only data necessary to carry out the processing operations;

- the violation of the measures prescribed by provision no. 192 of 12 May 2011 was ascertained in relation to the inadequacy and incorrect preservation of the tracking logs of the operations carried out on the Speedy Arena application, the failure to implement alerts for the operations carried out through the aforementioned application and the failure to carry out internal control audits;

NOTING that, with the aforementioned deed of 14 May 2019, they have been challenged to the Company, as data controller pursuant to articles 4, paragraph 1, lett. f), and 28 of the Code:

- the administrative violation provided for by art. 162, paragraph 2-bis, of the Code, in relation to art. 33, with reference to the failure to adopt the minimum security measures;

- the administrative violation provided for by art. 162, paragraph 2-ter, of the Code, in relation to art. 154, paragraph 1, lett. c), with reference to the non-observance of the prescriptions given by the Guarantor with the provision n. 192 of May 12, 2011;

- finally, the violation provided for by art. 164-bis, paragraph 2, of the Code, with reference to the fact that the violations committed refer to banks of particular importance or size;

NOTED from the report prepared by the Office pursuant to art. 17 of the law n. 689/1981 that the payment to a reduced extent is not made in relation to the violations referred to in articles 162, paragraph 2-bis, and 162, paragraph 2-ter, of the Code;

GIVEN the defensive writings, sent on 12 June 2019 pursuant to art. 18 of the law n. 689/1981, which are fully referred to here, with which the Company illustrated the reasons why the conditions for applying the sanctions in relation to the violations being contested would not exist and, in summary, stated that:

- with reference to the violation of the security measures pursuant to art. 33 of the Code, the authorization system adopted, with respect to the Speedy Arena application, was fully compliant with the provisions contained in rule 12 of the Technical Regulations in Annex. B) the Code, in force at the time of the facts, given that "no error occurred in the definition of the authorization profiles that were correctly set up and operational". Instead, "undue access to personal data was possible only because of Penta's incorrect management of access credentials which allowed the subsequent exploitation of an application bug". The Speedy Arena application could only be used through the Extranet,

- unlike what was found in the Provision and subsequently contested, "the authorization profiles for each appointee or for homogeneous classes of UniCredit appointees are identified and configured prior to the start of treatment, in order to limit access to only data necessary to carry out the processing operations ". The Company therefore claims to have correctly defined the access levels to the Speedy Arena application, but that, due to an improper use of the access credentials by Penta users, which was followed by the exploitation of a computer bug of the back-end systems of the aforementioned application, it was possible to overcome the visibility restrictions and access segregations, which instead had been correctly implemented;

- "the fact that it was not possible to access the tracking logs of the operations carried out (...) and that these logs did not report the registration of the customer code affected by the person in charge of access to bank data does not imply the total inadequacy of the security measures adopted ". In fact, the Company had adopted a banking transaction tracking system, to complement and complement the log collection systems for individual applications, which allowed it to reconstruct the events related to the data breach. In particular, it was possible to identify the starting date of the violation and its scope, thanks to the log collection system that collected the firewall logs, which included: the file number, the user code of the operator who performed the access operation, the IP address from which the operation is carried out, the date and time of execution of the operation and the type of operation carried out in accordance with the prescribed measures in point 1, lett. b) of the provision of 12 May 2011;

- finally, as regards the dispute relating to the failure to implement alerts, the company stated that, already at the time of the disputed events, there was a firewall system that filtered and assessed the amount of traffic on the company's entire application which, upon exceeding particularly high traffic thresholds, sent an alert "without being able to identify a number of queries such as those of the case in question which, although high for the individual application, were not relevant with respect to IT traffic than a credit institution how Unicredit manages daily ";

READ the hearing report, held on 6 November 2019, pursuant to art. 18 of the law n. 689/1981, with which the party reiterated what has already been declared in the defense briefs, requesting the filing of the sanctioning procedure or, in the alternative, the application of sanctions to the minimum edict, in consideration of the fact that the interested parties did not suffer any prejudice and that the Company has further strengthened its security measures;

CONSIDERING that, unless the fact does not constitute a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents responds to it pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of tasks or the exercise of the powers of the Guarantor";

CONSIDERING also that the relevant profiles of unlawfulness of the treatment that emerged in the present case, as a consequence of the failure to adopt adequate technical and organizational measures, however require the corrective intervention of this Authority in today's terms, in order to safeguard the rights and freedoms fundamental data subjects regardless of the notification of the violation of personal data made by the data controller;

CONSIDERING that the arguments put forward are not suitable to exclude the responsibility of the party in relation to what is disputed. In fact, in its defensive writings, the party clarified many aspects related to the setting up of the computer authentication systems which, on the basis of the investigations carried out by the Office, were actually compliant with the provisions indicated in the Technical Specifications. Otherwise, the aspects related to the setting up of the authorization systems of the persons in charge of the processing, referred to in the rules n. 12 and n. 13 of the aforementioned technical specification. The documentation acquired during the preliminary phase and, above all, the checks carried out during the inspection, revealed an incorrect design of the authorization system of the Speedy Arena application which was particularly weak both at the front-end and back-end level. On the other hand, the same company had represented, in the audit report of 30 November 2017, how the Speedy Arena application had been developed to be used only by internal employees (who have no restriction on the visibility of the files) and that it was it was subsequently extended also to subjects external to the Company, implementing a segregation of accesses which then proved not to be safe. In fact, “taking advantage of some security weaknesses of the application in question, unknown subjects, through the credentials assigned to Penta staff, they had access to the personal data present in financing practices that did not fall within the scope of Penta's mandate, thus determining the data breach covered by the communication of 25 July 2017 "(minutes of 22 October 2018, p. 3). The ascertained presence of some weaknesses of the Speedy Arena application, even if caused by a computer bug (a circumstance that was never represented by the Company during the investigation), however, remains attributable to the sphere of responsibility of the data controller who, in the 'prepare the measures referred to in All. B) to the Code, aimed at ensuring a minimum level of protection of personal data, must guarantee its effectiveness over time and therefore cannot be attributed to Penta. It turned out, in fact, that the operators of Penta, after passing the IT authentication procedures, they could access any financing practice (both "consumer loan" and "transfer of the fifth of the salary"), taking advantage of the aforementioned weaknesses of the Speedy Arena application, simply by changing the number identification of the practice and, above all, regardless of the authorization profile assigned to them. If, on the other hand, the authorization profiles had been correctly set up and configured with the access restrictions, each Penta operator could have consulted only the data relating to his own practices, as the authorization system would have blocked any access to managed practices from other subjects. Instead, it was verified that the access restrictions associated with authorization profiles were not working properly. It is noted, unlike what is deduced by the owner, that the possibility of viewing even practices that are not within its competence is a circumstance that prescinds from the improper use of the utilities used by the appointees. Therefore, violations of the security measures pursuant to art. 33 of the Code.

As regards the violation relating to the failure to comply with provision no. 192 of 12 May 2011, it is noted that, regardless of the circumstance that the Company has managed to identify the fundamental aspects related to the data breach and to take the necessary measures, there is no doubt that the tracking logs had not been correctly implemented, both with reference to the log retention times (which was less than 24 months from the date of registration of the transaction) and with reference to the failure to indicate the customer code affected by the transaction to access bank data. With reference to the first aspect, the same Company has represented that “since log files prior to April 28, 2016 are not available, the exact extent of the data breach cannot be determined "(audit report of 30 November 2017), due to the impossibility of identifying useful elements. With reference, however, to the second aspect, it is noted that the Guarantor considered that the registration in the tracking logs of the customer's code (together with the other information identified in point 4.2.1 of provision no. 192) is fundamental in order to ensure effective control of the activities carried out on customer data by each processor. Among other things, this prescriptive measure is functional to the others indicated in the provision, including that relating to the activation of specific alerts aimed at detecting intrusions or anomalous and abusive access to information systems, analyzing and correlating the tracking logs relating to all the applications used by the processors. The fact that the file number was present in the logs, instead of the customer's code, would not have made it possible, except through a complex and articulated operation of crossing the data present in the logs with the customer data (also considering that the same practice can refer to multiple customers or that different practices can refer to the same customer) to correlate the tracking logs generated by different applications of the Company with each other. The Company itself stated, during the investigation, that at the time when the illegal access occurred, there was no alert mechanism useful for detecting anomalous behavior, against access operations performed by users outside the Company (such as Penta operators). In fact, with respect to the specific episode of data breach subject of this procedure, it emerged that "customer practices were consulted with a frequency of up to 10 per second, in consecutive order by a single user", without such anomalous behavior being detected , and that the failure to activate alerts was one of the conditions that "contributed to the exfiltration of data, which lasted for at least 14 months without being identified" (audit report of 30 November 2017). With regard to the foregoing, it is believed that the Company has responsibility for the failure to adopt the measures prescribed by provision no. 192; with respect to the specific episode of data breach subject to this proceeding, it emerged that "customer practices were consulted with a frequency of up to 10 per second, in consecutive order by a single user", without such anomalous behavior being detected, and that the failure to activate alerts was one of the conditions that "contributed to the exfiltration of the data, which lasted for at least 14 months without being identified" (audit report of 30 November 2017). With regard to the foregoing, it is believed that the Company has liability for the failure to adopt the measures prescribed by provision no. 192; with respect to the specific episode of data breach subject to this proceeding, it emerged that "customer practices were consulted with a frequency of up to 10 per second, in consecutive order by a single user", without such anomalous behavior being detected, and that the failure to activate alerts was one of the conditions that "contributed to the exfiltration of the data, which lasted for at least 14 months without being identified" (audit report of 30 November 2017). With regard to the foregoing, it is believed that the Company has liability for the failure to adopt the measures prescribed by provision no. 192; in consecutive order by a single user ", without this anomalous behavior being detected, and that the failure to activate the alert was one of the conditions that" contributed to the exfiltration of the data, which persisted for at least 14 months without it coming identified "(audit report of 30 November 2017). With regard to the foregoing, it is believed that the Company has liability for the failure to adopt the measures prescribed by provision no. 192; in consecutive order by a single user ", without this anomalous behavior being detected, and that the failure to activate the alert was one of the conditions that" contributed to the exfiltration of the data, which persisted for at least 14 months without it coming identified "(audit report of 30 November 2017). With regard to the foregoing, it is believed that the Company has responsibility for the failure to adopt the measures prescribed by provision no. 192; it is believed that the Company has responsibility for the failure to adopt the measures prescribed by provision no. 192; it is believed that the Company has responsibility for the failure to adopt the measures prescribed by provision no. 192;

NOTING, therefore, that UniCredit SpA, as data controller pursuant to art. 4, paragraph 1, lett. f) and 28 of the Code, appears to have committed the violations referred to in Articles 162, paragraph 2-bis, and 162, paragraph 2-ter, of the same Code, as indicated in the contestation act n. 15976/119444 of 14 May 2019, as well as the violation pursuant to art. 164-bis, paragraph 2, for committing the aforementioned violations in relation to databases of particular relevance and size;

CONSIDERING that, for the purpose of the fines, it is necessary to take into account, pursuant to art. 11 of the law n. 689/1981, of the work carried out by the agent to eliminate or mitigate the consequences of the violation, the seriousness of the violation, the personality and economic conditions of the offender;

CONSIDERING that, in the present case:

- with regard to the aspect of gravity, the elements relating to the intensity of the psychological element and the extent of the danger and prejudice must be assessed taking into account that the violations are committed in relation to a significant number of interested parties;

- for the purposes of evaluating the work carried out by the agent, it should be noted that the Company, following the data breach in question, has adopted various measures and has initiated initiatives aimed at strengthening the security of its IT systems;

- regarding the personality of the author of the violation, the fact that there are no previous sanctioning proceedings against UniCredit SpA must be considered;

- with regard to the economic conditions of the agent, the financial statements for 2018 were taken into consideration;

CONSIDERED, therefore, to have to determine, pursuant to art. 11 of the law n. 689/1981, the amount of the financial penalties, on the basis of the aforementioned elements assessed as a whole, to the extent of:

- € 120,000.00 (one hundred twenty thousand) for the violation pursuant to art. 162, paragraph 2-bis, of the Code, in relation to art. 33;

- euro 180,000.00 (one hundred and eighty thousand) for the violation pursuant to art. 162, paragraph 2-ter, of the Code, in relation to art. 154, paragraph 1, lett. c);

- € 300,000.00 (three hundred thousand) for the violation pursuant to art. 164-bis, paragraph 2, of the Code;

for a total amount of € 600,000.00 (six hundred thousand);

GIVEN the documentation in the records;

GIVEN the law n. 689/1981 and subsequent modifications and additions;

GIVEN the comments made by the Secretary General pursuant to art. 15 of the guarantor regulation n. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Dr. Augusta Iannini;

ORDER

to UniCredit SpA, in the person of its pro tempore legal representative, to pay the sum of € 600,000.00 (six hundred thousand), as a pecuniary administrative sanction for the violations indicated in the motivation;

enjoins

to the aforementioned company to pay the sum of € 600,000.00 (six hundred thousand), according to the methods indicated in the annex, within 30 days from the notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law 24 November 1981, n. 689.

Pursuant to articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be filed against the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the owner of the data processing has his residence, within thirty days from the date of communication of the provision or sixty days if the applicant resides abroad.

Rome, June 10, 2020