UniCredit Staff Data for Sale on Cybercrime Forum After Hack

(Bloomberg) -- Data on about 3,000 UniCredit SpA employees was put up for sale on cybercrime forums after a hacking attack.

The data went on sale on April 19 and contained what the hacker said was information on UniCredit workers, including emails, phone numbers, encrypted passwords and names, Telsy, a unit of Telecom Italia SpA, wrote on its website Monday.

“The database appears to be genuine and the potential result of a SQL injection attack,” Telsy wrote. A SQL injection is a malicious code-insertion technique used to attack applications.

UniCredit said it was investigating the matter and is contacting “relevant authorities.”

“UniCredit became aware that its name has been mentioned in relation to an alleged case of data breach in Romania related to an HR recruiting platform provided and managed by a third party,” Italy’s biggest bank said in response to questions from Bloomberg News. “There is no evidence of any UniCredit systems having been accessed,” the company said.

Leaked data is sold on the basis of a plan relating to the number of “rows” offered to the buyer. The cost of the full package including 150,000 rows of data is $10,000, and it contains UniCredit data “from late 2018-2019,” according to Telsy’s posting. It costs $1,000 to gain access to the 3,000 employees names.

Like many large companies and institutions, banks have faced several cyberattacks that have disrupted operations or compromised clients’ private information. Last year, UniCredit discovered a breach involving data including names, phone numbers and emails of 3 million customers.

UniCredit, which has invested billions of euros since 2016 to upgrade its cybersecurity and information technology systems, said that “data security and privacy are our key priorities at all times.”

©2020 Bloomberg L.P.