Unicredit S.p.A.

€2,800,000

Insufficient technical and organisational measures to ensure information security

Data da decisão

8 de fevereiro de 2024

Autoridade

Italian Data Protection Authority (Garante)

IT

Setor

Employment

País

IT

Lei

GDPR

Status

FINAL

Descrição

The Italian DPA has imposed a fine of EUR 2.8 million on UniCredit S.p.a.. The bank had suffered a cyberattack on its mobile banking portal, during which the attackers gained access to numerous data (e.g. name, social security number, identification codes) of thousands of customers and former customers. The attackers were also able to determine the PIN to access the portal of over 6,800 customers. During its investigation, the DPA found that the controller had failed to implement appropriate technical and security measures to counter such a cyber attack. The controller also did not prevent customers from using weak PINs. In setting the fine, the DPA considered the large number of data subjects and the seriousness of the breach. However, the fact that the bank took remedial action in good time and that no bank data was affected was taken into account positively.

Citações legais

Art. 5 (1)Art. 32 (1)

Problemas e violações

Insufficient technical and organisational measures to ensure information security
Ver documento oficial
Voltar ao banco de dados de multas
Multa anterior
Spanish Data Protection Authority (aepd) - IBERDRO...
Próxima multa
Data Protection Authority of Hamburg (HmbBfDI) - C...

Mantenha-se atualizado sobre a aplicação da privacidade

Respeitamos sua privacidade. Um e-mail por mês, sem spam, cancele sua inscrição a qualquer momento.