On March 7, 2024, the Italian data protection authority (Garante) announced its Decision No. 66 of February 8, 2024, and issued a fine of €800,000 to NTT DATA Italia S.p.A for violations of the General Data Protection Regulation (GDPR). 

Background to the decision

In particular, Garante stated that, on October 22, 2018, UniCredit S.p.A. (UniCredit) notified it of a cyber attack within its online banking system for the mobile web channel, which resulted in the illegal acquisition of the personal data of some customers. Specifically, the name, surname, tax code, and internal identification code of the bank minus the customer's bank details. 

The Garante noted that the cyber attack on UniCredit took place on October 21, 2018. After UniCredit detected a large number of login attempts to the mobile banking site, it immediately notified the Garante. In light of the circumstances, the Garante considered the breach was likely to present a high risk to the rights and freedoms of affected customers and required UniCredit to communicate the violation to affected customers. 

The Garante highlighted that a second investigation was initiated against NTT DATA Italia, which was responsible for conducting penetration tests and vulnerability assessment activities from October 1, 2018, to October 26, 2018, for UniCredit. The Garante stated that the investigation determined that NTT DATA Italia subsequently contracted with a third company to perform assessments for UniCredit on its behalf without proper authorization from UniCredit. 

Findings of the Garante

The Garante stated in its decision that NTT DATA Italia entrusted the execution of the vulnerability assessment and penetration testing activities of the mobile banking portal to a third-party company in the absence of prior written authorization from the data controller (UniCredit in this case) in violation of Article 28(2) of the GDPR. 

The Garante also stated that NTT DATA Italia received notification of the vulnerability assessment and penetration testing report from the third party on October 19, 2018, and informed UniCredit of the results on October 22, 2018 (the day following the attack), in violation of Article 33(2) of the GDPR. In the determination of its fine amount, the Garante noted that it considered: 

• the nature, severity, and duration of the violations; 

• the intentional or negligent nature of the violations; 

• the absence of previous measures by the Garante; 

• economic considerations of the offenders; 

• active collaboration with the Garante; and 

• the categories of personal data affected consisted of common data of the interested parties. 

Outcome

The Garante imposed a fine of €800,000 on NTT DATA Italia as a pecuniary administrative sanction for the abovementioned violations to be paid within 30 days of notification of the provision. 

You can read the newsletter here and the decision here, both only available in Italian.