In two decisions dated 8 February 2024, related to the same data breach occurred in 2018, the Italian Data Protection Authorithy imposed a fine of Eur 2.8 million on Unicredit, the data controller, and a fine of Eur 800,000 on NTT Data, the data processor, a company to which the bank had outsourced the performance of testing on the security measures.
A data breach that occurred against customers of UniCredit, one of the major Italian banks, resulted in the imposition of an administrative fine on both the data controller and the data processor for failure to take appropriate technical, organizational and security measures to prevent the data breach.
In 2018 UniCredit’s mobile banking portal was massively attacked by cyber criminals; such data breach was notified by the data controller to the Italian Data protection Authority pursuant to Article 33 GDPR. In particular, the data breach resulted in the unlawful acquisition of common personal data (first name, last name, tax code and internal bank identification code, excluding bank data) of about 800,000 bank’s customers.
Following a complex investigation into the security and organizational measures applied to the bank’s portal, in its first decision dated 8 February 2024, the Italian Data Protection Authority identified the bank’s responsibilities for failure to verify the compliance of processing with the integrity and confidentiality principles and for violation of security obligations under Article 32 GDPR.
In imposing the administrative fine of Eur 2.8 million to Unicredit, the Italian Data Protection Authority took into account the significant number of data subjects involved, the supporting measure put in place in favor of customers who were victims of the data breach, the mitigation measures taken just after the event and the active cooperation of the data controller with the Authority.
With the second decision issued on 8 February 2024, related to the same data breach, the Italian Data Protection Authority fined NTT Data, a company entrusted by UniCredit to perform penetration testing and vulnerability assessment and appointed by the bank as data processor.
Despite the fact that the contract signed with UniCredit provided for the prohibition of entrusting third parties with the execution of the services and the obligation, in case of detection of vulnerabilities with high severity, to immediately inform the data controller, NTT Data entrusted a third party company with the execution of these activities and notified UniCredit of the breach of its customers’ personal data beyond the deadline provided for by GDPR and only following an express request from the bank. The Italian Authorithy pointed out in its decision that the data processor plays a key role in enabling the data controller to fulfill its security obligations under Articles 32 to 36 GDPR in a timely manner, and ascertained the unlawful conduct of the data processor as a violation of Articles 28 and 33 GDPR, condemning NTT Data to pay a fine of Eur 800,000.