The data of around 750,000 users was impacted by the 2018 cyberattack on the bank's mobile banking application. The regulator stated that the penalty, which was unveiled on Thursday, serves as a reminder to banks that "banks must take all necessary technical and organizational and security measures to prevent their customers' data from being unlawfully stolen."

For UniCredit, the 2018 breach was not an anomaly. The bank revealed in 2017 that unauthorized third parties had gained access to the personal financial information of about 400,000 of its clients who had taken out loans through the bank. A second data breach that compromised the personal information of over three million consumers was discovered by UniCredit in 2019.

In response to the penalties announced this week, UniCredit declared that it will challenge the judgment of the data protection authority, stressing that the incident had been promptly handled and that no bank data had been exposed in the hack.