UniCredit blames third-party provider for the data breach which has happened between September and October 2016 and repeated in June-July 2017. Customer passwords and other data which allow unauthorized access to customer accounts remained safe, while some other personal information and IBAN numbers have been exposed. The breach was affected by new IT director.
In the next year, the EU data regulation GDPR (General Data Protection Regulation) comes into force, which means that a data breach can cost the banks up to 4% of their annual revenue.
Details of 400,000 loan applicants spilled in UniCredit bank breach - The Register
Hack on Italy's largest bank affects 400,000 customers - BBC
Hackers Breach 400,000 UniCredit Bank Accounts for Data – Bloomberg