Global Italian banking and financial services company UniCredit S.p.A revealed Monday that 3 million customer records were stolen in a data breach that may have taken place as far back as 2015.

The hack involved the theft of names, cities, phone numbers and email addresses of the bank’s Italian customers but did not include other personal data or bank details that UniCredit claims could be used to access customer accounts.

UniCredit, which had previously disclosed a hack involving 400,000 customer records in 2016, said it has launched an internal investigation into the hack and is informing potentially affected customers. How the data breach occurred was not disclosed.

“Customer data safety and security is UniCredit’s top priority and since the 2016 launch of Transform 2019, the Group has invested an additional 2.4 billion euro in upgrading and strengthening its IT systems and cybersecurity,” UniCredit said in a statement.

There are some reports suggesting that the theft of the data may have been the result of an employee mistake. Shpend Kurtishaj, director of international security operations at crowdsourced cybersecurity platform Bugcrowd Inc., told SiliconANGLE that the breach underscores the fact that software vulnerabilities are not the only cause for data breaches and that even trusted people with access to sensitive information have to be considered in a risk assessment.

“I recommend setting up policies that prohibit storing personally identifiable information in an unencrypted form and strictly enforcing it,” Kurtishaj said. “When looking at the UniCredit incident, it’s clear that they either did not have such a policy or it wasn’t followed, giving attackers an open invitation to grab data.”

Grant McCracken, director of solutions architecture at Bugcrowd, suggested that given that the UniCredit compromise came as the result of a file from 2015, the file in question was likely an improperly stored backup file of some kind.

“While not extremely common, this is something we do see a fair amount in the wild — a database that got deprecated, but never destroyed, or a backup file left exposed in an S3 bucket, just waiting for someone to stumble upon it,” he said. In fact, he added, a similar issue happened to DoorDash just a month ago.

“Given the age of this file, it’s unlikely that it was stolen in relation to their current production app, but instead was an unsecured vestigial or forgotten asset that led to the compromise of the greater organization,” McCracken said. “This goes to show that it’s important to understand your entire attack surface and all the associated unknowns; attackers rarely come in through the front door.”

Photo: Gaetano Virgallito/Flickr