Third-party data processor causes data breach for Italy’s largest Bank, strengthening the call to encrypt all data

Italy’s biggest lender UniCredit has been hit by a two data breachs in the last 10 months with blame directed at a third party provider, affecting 400,000 customers.

This week, Italy’s biggest lender UniCredit revealed that it suspected attackers had breached the bank in two separate attacks in the past year, with the number of customers affected estimated to be around 400,000.

UniCredit is blaming an unnamed third-party provider, most likely a data processor, for exposing Italian customer data which included international bank account numbers (IBANs) and other personal information which may have been taken over this period, it said in a statement.

This example of leaked data is exactly the type of security issue that GDPR guidelines are directly addressing and which companies can no longer afford to ignore. The “security by design” principles outlined in GDPR article 25 stipulate the importance of data security of Personally Identifiable Information (PII) ‘in motion’, ‘at rest’ and ‘in use’, when sharing it with a third-party data processor. This ensures the integrity of the data and its protection at every stage of the data processing operations.

A common way to achieve this is by encrypting data before it’s shared with a data processor. This typically happens in two different ways. Either by encrypting the sensitive PII which renders it useless for search, sort, filter and report functionalities – the downside is that this limits the user or the data processor in the ability to process the sensitive data. Or, if encryption is available from the cloud provider, it can be activated. The trouble here in relation to GDPR is that this means the cloud provider will now manage all or part of the encryption keys, which does not meet the “security by design” principles.

To address specific GDPR requirements, more advanced cloud data protection solutions, such as the eperi Gateway, are needed to ensure that the encrypted data cannot be decrypted if compromised and, most importantly, the encrypted data is still usable, searchable and able to be processed for authorised users.

In the case of UniCredit, if the PII data was encrypted before it left the bank’s network, and the bank – not the cloud provider – maintained full control of the encryption process and keys, the data would not have been able to become compromised. Data encryption is only reversible by those in possession of the cryptographic keys – and because these are held within the bank, successful attackers would only be able to steal unintelligible data.

Encrypting sensitive PII has several other benefits under the GDPR: if a “personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”, articles 33 § 1 and 34 § 3a state that notification to supervisory authorities and users may not be needed. Article 34 explicitly mentions encryption as a means to protect data.

This is a key message for any company –  of which there are many – using SaaS applications such as Office 365, Salesforce, Microsoft Dynamics etc. These are all regarded as ‘data processor’ environments under GDPR and most organisations use them to process sensitive data like employee or customer information on a regular basis. By using the eperi Gateway as a cloud data protection solution, enterprises can protect their sensitive PII data before it leaves their network, therefore implementing GDPR ‘security by design’ principles. With eperi, PII data is stored and processed as encrypted data, which can help enterprises reduce the scope of GDPR when using third-party data processors.