Weekly Cyber Risk Roundup: UniCredit Breach and Two Swedish Officials Resign

The Italian bank UniCredit was among the week’s top trending cybercrime targets after the bank announced it had been the victim of two separate data breaches affecting approximately 400,000 customers who had taken out personal loans.


The first breach occurred between September and October 2016, and the second breach occurred between June and July 2017, UniCredit wrote it its press release. The breaches occurred “due to unauthorized access through an Italian third party provider” and resulted in personal information and international bank account numbers being compromised.

Bloomberg, which described the incident as “one of the biggest breaches of European banking security this year,” reported that both breaches were only discovered this past week.

Daniele Tonella, the CEO of UniCredit Business Integrated Solutions, said that while conducting checks the IT department discovered that some users from an external commercial partner were accessing client data. Tonella said the bank quickly moved to block the access and has since upgraded the system.

UniCredit said that it is investing €2.3 billion in upgrading and strengthening its IT systems as part of its “Transform 19” plan.


Other trending cybercrime events from the week include:

  • Payment card and bitcoin thefts announced: The Galt House Hotel is notifying patients that it discovered malware on its point-of-sale systems and that customers who used their cards at the hotel between December 21, 2016 and April 11, 2017 may have had their information compromised. Newcastle University is warning that a fake website is using its brand and duping students into handing over their payment card information and other personal details in order to sign up for fake courses. Police arrested a man who claims to have used malware to steal between $40 million and $50 million worth of bitcoin. According to court documents, the man said he wrote software that simulates the code used to create bitcoin wallets and then distributed that software via certain internet forums. The software would steal bitcoin keys by replacing other people’s wallets with the attacker’s wallets during transactions.
  • New ransomware announcements:  The Groundlings Theatre said that an email containing a fake invoice led to a ransomware infection that encrypted 54,000 files. The company said it paid the £300 ransom demand to recover the files and that it should take about four weeks to fully recover all of them. Plastic Surgery Associates of South Dakota is notifying patients that their information may have been compromised due to a ransomware infection on February 12, 2017. The Women’s Health Care Group of PA said that malicious actors exploited a security vulnerability to gain access to its systems as far back as January 2017 and that led to a ransomware infection and the potential compromise of patient information.
  • More accidental disclosures: Sutton Council in the UK published an unredacted spreadsheet on its website that listed the names and payments issued to hundreds of individuals who received over £500 in benefits such as disability, adoption, fostering allowances, day care respite, and special needs education. BlueCross BlueShield of Tennessee said that 657 employers’ group benefit administrators were sent information meant for other companies due to a computer glitch. As a result, 2,100 individuals had their personal information compromised, including member names, dates of birth, plan type and coverage dates, and member identification numbers.
  • Other notable incidents: A dark web user is selling 40 million voter records from 9 different states and has hinted that he may possess records for an additional 20 to 25 states. More than 5.5 million Social Security numbers were stolen in the previously reported March 2017 data breach of America’s Job Link Alliance-TS. The University of Vermont Medical Center is notifying 2,300 patients that their information may have been compromised due to a phishing incident that led to an unauthorized third party gaining access to an employee email account. A North American casino had its Internet-connected fish tank compromised, and the attacker used that access to move laterally to other places in the network. The supermarket chain Loblaws said that a “small number of user accounts” were affected by “unauthorized online activity” and is asking users to reset passwords.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.


Cyber Risk Trends From the Past Week

2017-07-31_RiskScoresTwo Swedish officials have resigned following criticism over a large data breach that may have compromised classified information as well as the sensitive personal data of citizens.

According to The New York Times, the breach was due to a lack of adequate safeguards being adopted when the Swedish government entered into an outsourcing agreement with IBM Sweden to manage vehicle registration and driver’s license databases back in April 2015. The nearly $100 million agreement lacked certain safeguards, the Times reported, which allowed unauthorized personnel at IBM subsidiaries in Eastern Europe to access large amounts of sensitive data such as details about Sweden’s infrastructure and the identities of people working undercover for the Swedish police and the Swedish security service.

Last Thursday, Swedish Prime Minister Stefan Löfven announced the resignation of Anders Ygeman, the Minister of Home Affairs, and Anna Johansson, the Minister of Infrastructure. Politico reported that Defense Minister Peter Hultqvist will not resign, despite demands from the opposition that he do so.

News of the leak first began to spread earlier this month after the Transport Agency’s former director general Maria Agren, who had been fired in January, was fined 70,000 Swedish krona ($10,700) for mishandling confidential information, The Sydney Morning Herald reported. Anders Thornberg, the head of Sweden’s security service, said that that while inadequately protected information must be considered breached, the data may not have been compromised due to that inadequate protection. However, Thornberg also said that the incident was “very serious because it could damage our operational business that we are conducting every day in order to protect Sweden.”

The Times reported that results from a preliminary investigation revealed at least three unauthorized people in the Czech Republic had full access to the sensitive databases.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: