With an injunction order dated 10 June 2020, the Privacy Guarantor ordered Unicredit S.p.A. to pay € 600.000 following a given breach caused by abusive access to the personal data of over 700.000 customers. The abusive accesses, concerning a multiplicity of information, had been made using the utilities of some employees of an external business partner, through the “Speedy Arena” application. In particular, the violation concerned personal and contact data, profession, level of study, identification details of an identification document and information relating to the employer, salary, loan amount, payment status, credit ranking and Iban code of about 762.000 interested parties.
The computer intrusion, which occurred between April 2016 and July 2017, was communicated to the Guarantor by Unicredit in 2017.
The investigation carried out against the Company culminated, in October 2018, in an inspection, as a result of which the Guarantor had adopted measure no. 87 of 28 March 2019, by which it had declared the processing of personal data carried out by Unicredit unlawful since it was carried out in violation of the minimum security measures. In particular, the Guarantor had detected some technical weaknesses in the “Speedy Arena” application, caused by an IT bug. In this regard, the Company itself had stated in the 2017 audit report that the above application had been developed to be used only by internal employees, who had no restrictions on the visibility of the practices. Subsequently, access was also extended to external parties (in this case, the employees of an external business partner) to the Company, implementing segregation of access that had not turned out to be secure.
The Guarantor ascertained the presence of the technical weaknesses found in the application in question was in any case attributable to the sphere of responsibility of Unicredit, as a data controller. For these reasons, therefore, the Company had to consider itself responsible in preparing the security measures aimed at ensuring a minimum level of protection of personal data and in guaranteeing their effectiveness over time, although the breach had been committed by parties unrelated to it. The Guarantor noted that, if the authorization profiles had been correctly set up and configured with the access restrictions, each operator outside the Company could have consulted only the data relating to the files for which it was responsible, as the authorization system would have blocked any access to files managed by other parties. Also, Unicredit was also held responsible for the failure to comply with the Guarantor’s provision no. 192 of 12 May 2011 regarding the procedures for tracking banking transactions.
For the application of financial penalties, the Guarantor made the following considerations:
– concerning the seriousness, it assessed the elements relating to the intensity of the psychological element and the extent of the danger and injury, considering that the violations were committed concerning a significant number of those involved;
– to evaluate the work carried out by the agent, it took note of the adoption by the Company, after the date of the breach, of various measures and initiatives aimed at strengthening the security of its IT systems;
– as regards the personality of the perpetrator of the breach, it considered the absence of sanctioning proceedings against UniCredit;
– concerning the economic conditions of the agent, it considered the financial statements for the year 2018.
The measure in question, therefore, was made by the Guarantor in consideration of the relevant profiles of the unlawfulness of the processing that emerged from the outcome of the investigation, as a consequence of the failure to adopt adequate technical and organizational measures by Unicredit, with the clear intention of safeguarding the rights and fundamental freedoms of the data subjects, regardless of the notification of the violation of personal data made by the data controller.