Italy’s digital agency, AGID, has confirmed the authenticity of claims made by a cybercriminal known as mydocs, regarding a series of data breaches that have compromised several hotels across the nation. The attacker alleges to have infiltrated the booking systems of various Italian hotels, capturing sensitive identification documents from thousands of guests over a three-month period spanning from June to August.
As of Wednesday, AGID reported that the number of affected hotels has escalated to ten, with the possibility of further disclosures in the upcoming days. The implications of this breach extend beyond the immediate theft of data, as mydocs has purportedly listed nearly 100,000 individual identity documents—encompassing passports and other forms of identification—on a cybercrime forum.
Though it is common for cybercriminals to exaggerate their exploits in online forums, AGID’s advisory indicates that measures taken by the agency led to the interception of an illegal sale of these documents. This development suggests that the theft may indeed be more than mere speculation and allows for a preliminary verification of the data’s authenticity.
In its warning, AGID has urged the public to remain vigilant against potential scams that could target individuals affected by the breach. The advisory highlighted the multifaceted risks associated with stolen data, including the creation of fraudulent documents, unauthorized bank accounts, and various forms of social engineering attacks. These actions could inflict significant financial and legal consequences on the victims involved.
Despite the growing concern regarding this incident, questions remain unanswered about the timeline of the breaches and the specific methods through which the attackers accessed the sensitive data. An instance of particular interest is the four-star Borghese Contemporary Hotel in Rome, which has 24 beds yet allegedly saw the listing of over 7,000 documents. Such discrepancies suggest that either the scale of the breach is inflated or that it may encompass a more extensive time frame of guest information than previously acknowledged.
Italy’s data protection authority, the GDDP, also released a statement confirming that some hotels had proactively reported irregularities to the agency following the attacks. It emphasized the need for accommodation providers who have not yet detected issues to promptly report any anomalies, ensuring that immediate protective measures can be enacted to safeguard data privacy. Moreover, the GDDP has initiated a formal investigation into the reported thefts.
For individuals who believe their documents may have been unlawfully accessed, the GDDP has advised contacting the accommodations in which they stayed for confirmation. This approach not only helps in verifying the breach but also aids in mitigating potential identity theft risks.
This incident starkly illustrates the pressing cybersecurity challenges facing businesses today, particularly in the hospitality sector, where customer trust hinges on the ability to protect sensitive information. The tactics involved in such attacks may include initial access through phishing or exploiting vulnerabilities in system defenses, persistence strategies to maintain access, and various means of privilege escalation to gain higher levels of access to sensitive information. The use of techniques outlined in the MITRE ATT&CK framework underscores the sophistication of modern cyber threats, demanding a proactive and robust response from organizations to fortify their defenses.
