UniCredit, Italy’s largest bank by assets, has launched an internal investigation after uncovering a data breach involving 3 million records.
Its cyber security team identified the incident involving a file generated in 2015 that affected Italian customers, with records containing names, city, telephone number and email.
The bank said no other personal data or any bank details permitting access to customer accounts or allowing for unauthorised transactions have been compromised.
The bank, one of the five biggest asset finance companies in Europe, according to the annual AFE50 ranking, said it had informed all the relevant authorities, including the police, and is contacting all those affected.
Discovery of the breach comes two years after the bank revealed 400,000 Italian personal loan customers were affected by two data security breaches due to unauthorised access through an Italian third-party provider.
The bank’s executives said the latest incident was not related to previous incidents.
A statement from UniCredit said customer data safety and security is the bank's top priority and it has invested an additional €2.4 billion in upgrading and strengthening IT systems and cyber security in the past three years.
In June this year, the group implemented a new, stronger identification process for access to its web and mobile services, as well as payment transactions, which requires a onetime password or biometric identification.
As part of the new EU General Data Protection Regulation, companies are required to ensure the data they process is secure, with national authorities authorised to impose substantial fines for non-compliance of up to €20 million in the most serious cases.
A recent report from Accenture claimed that around 80% of organisations are introducing digitally-fuelled innovation faster than they can secure it against cyber-attackers.
However, it warned the biggest threat to cyber security came from human error, which meant training programmes should be a priority.