About 3,000 UniCredit Workers' Data Is Put Up for Sale After a Hacking Attack
On April 19, a hacking forum user hiding behind the c0C0linoz moniker offered for sale personal and work-related information of UniCredit employees. UniCredit is the largest bank in Italy, and it's one of the biggest financial institutions in Europe. It has close to 100 thousand employees as well as subsidiaries in a number of countries. Many people were interested in what was put up for sale exactly, and researchers from Cyble as well as employees of a Telecom Italia unit called Telsy decided to take a look.
Table of Contents
What was stolen?
According to c0c0linoz's post, budding cybercriminals with some cash in their pockets could buy UniCredit employees' names, email addresses, phone numbers, and encrypted passwords. Not much was available in terms of technical information, but the seller did point out that the data was dated back to "late 2018-2019," and after checking the sample records c0c0linoz posted on the hacking forum, Telsy's researchers concluded that the information is authentic.
Where was it stolen from?
Obviously, a breach at such massive financial institution could have enormous consequences not just for employees, but also for customers. After hearing about the story, Bloomberg contacted the bank and was told that UniCredit's systems have not been breached. Instead, the attack was aimed at an HR recruiting platform developed and managed by a Romanian company.
Telsy's investigation identified several accounts on other hacking forums, which are likely connected to c0c0linoz, and the researchers saw the data was being advertised multiple times. Some of the ads did mention that the data originates from Romania, but it remains unclear whether the affected employees are located in the Eastern European country only or whether they're spread all around the continent.
How much does the data cost?
Evidence suggests that the third-party HR platform was hacked via an SQL injection. SQL injections are at the lower end of the spectrum when it comes to sophistication. It's far from the most difficult attack to pull off, but the fact remains that whoever did it wants a pretty penny.
The number of affected employees sits at around 3 thousand, and cybercriminals who want a list of their names can have it for $1 thousand. Those who wish to have the full database along with all the details, however, need to pay $10 thousand.
The encryption algorithm used to scramble the affected workers' passwords is unknown, which means that it's difficult to say how much of a risk the data poses. Unless retrieving the plaintext credentials is trivial, however, the sums posted in the ad might price c0c0linoz out of the market. Hopefully, this is exactly what's going to happen, but UniCredit should be prepared to mitigate the risk in case it doesn't.
