A cyberattack on Almaviva, an IT service provider for FS Italiane Group (Italy’s national railway operator), led to the exposure of sensitive internal documents, including personal data related to FS Italiane’s operations. The breach occurred due to an unauthorized actor exploiting vulnerabilities in Almaviva’s infrastructure, bypassing defenses and accessing downstream client systems. While no operational disruptions to railway services were reported, the incident compromised business-related documents, some containing personal data subject to GDPR. Investigations are ongoing to determine the full scope of exfiltrated data, with authorities (including Italy’s ACN and European regulators) assessing cross-border implications. The breach underscores third-party risks in critical infrastructure, prompting calls for stricter vendor controls and network segmentation. FS Italiane has intensified monitoring and third-party audits, while Almaviva is addressing vulnerabilities. The incident aligns with Italy’s push for enhanced cyber resilience under its National Cybersecurity Perimeter law, highlighting gaps in supply chain security for vital sectors like transport.
Ferrovie dello Stato Italiane S.p.A. cybersecurity rating report: https://www.rankiteo.com/company/ferrovie-dello-stato-s-p-a
"id": "FER1992519112125",
"linkid": "ferrovie-dello-stato-s-p-a",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Information Technology',
'location': 'Italy',
'name': 'Almaviva',
'type': 'IT Service Provider'},
{'industry': 'Transportation (Critical Infrastructure)',
'location': 'Italy',
'name': 'FS Italiane Group',
'type': 'National Railway Operator'}],
'attack_vector': ['Phishing (suspected)', 'Credential Compromise (suspected)'],
'data_breach': {'data_exfiltration': 'Suspected (under investigation)',
'file_types_exposed': ['Documents'],
'personally_identifiable_information': 'Yes (confirmed)',
'sensitivity_of_data': 'High (includes personal and '
'operational data)',
'type_of_data_compromised': ['Internal business documents',
'Personal data']},
'description': 'A cyberattack targeting Almaviva, an Italian IT service '
'provider, led to the exposure of sensitive internal documents '
'and personal data belonging to FS Italiane Group, Italy’s '
'national railway operator. The breach was discovered after '
'Italy’s national cybersecurity agency (ACN) initiated an '
'investigation into suspicious activity. While no operational '
'disruptions to railway services were reported, the incident '
'highlights third-party risks in critical infrastructure '
'sectors. The attack vector is suspected to involve phishing '
'or credential compromise, enabling lateral movement into '
'sensitive systems. Investigations are ongoing to assess the '
'full scope of data exposure and potential GDPR implications.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Almaviva and FS Italiane',
'data_compromised': ['Internal documents',
'Personal data (potentially GDPR-regulated)'],
'downtime': 'None (no operational disruptions reported)',
'identity_theft_risk': 'Possible (personal data exposed)',
'legal_liabilities': ['Potential GDPR violations',
'Regulatory scrutiny'],
'operational_impact': 'None (railway services unaffected)',
'systems_affected': ['Almaviva’s IT systems',
'FS Italiane’s non-operational networks']},
'initial_access_broker': {'entry_point': ['Phishing (suspected)',
'Credential compromise (suspected)'],
'high_value_targets': ['FS Italiane’s internal '
'documents and personal '
'data']},
'investigation_status': 'Ongoing (ACN-led investigation, third-party '
'assessments in progress)',
'lessons_learned': ['Third-party vendors must apply stringent cybersecurity '
'controls when accessing sensitive data.',
'Critical infrastructure operators should implement '
'network segmentation to protect operational technology '
'from IT-side breaches.',
'Swift breach notification and incident response are '
'critical for GDPR compliance in third-party breaches.',
'Continuous reassessment of vendor exposure and '
'third-party risk management is essential.'],
'post_incident_analysis': {'corrective_actions': ['Almaviva implementing '
'corrective measures to '
'mitigate vulnerabilities',
'FS Italiane enhancing '
'network monitoring and '
'third-party assessments',
'Collaboration with ACN and '
'European regulators for '
'cross-border implications'],
'root_causes': ['Weaknesses in Almaviva’s '
'infrastructure defenses',
'Potential lack of segmentation '
'between IT and operational '
'networks',
'Possible phishing or credential '
'compromise enabling lateral '
'movement']},
'recommendations': ['Enhance vendor cybersecurity audits and contractual '
'obligations for data protection.',
'Implement stricter access controls and monitoring for '
'third-party service providers.',
'Adopt zero-trust architecture to limit lateral movement '
'in case of breaches.',
'Participate in intelligence-sharing initiatives to '
'improve threat detection and response.',
'Comply with Italy’s National Cybersecurity Perimeter law '
'for critical infrastructure protection.'],
'references': [{'source': 'ACN (Agenzia per la Cybersicurezza Nazionale)'},
{'source': 'FS Italiane Group Internal Communication'}],
'regulatory_compliance': {'regulations_violated': ['Potential GDPR '
'violations'],
'regulatory_notifications': ['Data protection '
'agencies notified',
'ACN investigation '
'ongoing']},
'response': {'communication_strategy': ['Internal communications by FS '
'Italiane',
'Public disclosure via ACN'],
'containment_measures': ['Isolation of critical railway systems',
'Network segmentation'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'network_segmentation': True,
'recovery_measures': ['Enhanced monitoring across FS Italiane’s '
'networks'],
'remediation_measures': ['Third-party assessments',
'Corrective actions by Almaviva'],
'third_party_assistance': ['ACN (Agenzia per la Cybersicurezza '
'Nazionale)',
'European cybersecurity '
'organizations']},
'stakeholder_advisories': ['FS Italiane and Almaviva are coordinating with '
'regulators and stakeholders.'],
'title': 'Cyberattack on Almaviva Exposes Sensitive FS Italiane Group Data',
'type': ['Data Breach', 'Third-Party Compromise'],
'vulnerability_exploited': ['Weaknesses in Almaviva’s infrastructure',
'Lack of segmentation between IT and operational '
'systems']}