Ferrovie dello Stato Italiane (FS), Italy’s state-owned railway operator, suffered a massive data breach via its IT provider, Almaviva. A threat actor stole 2.3 TB of sensitive data, including FSE investment plans (2017–2035), internal/confidential documents, trade secrets, forensic reports, legal papers, financial/bank records, and defense-related contracts (e.g., with the Ministry of Defense, Aeronautica Militare, and Guardia di Finanza). The breach also exposed passengers’ personal data (including passport numbers) and detailed employee records (full names, emails, phone numbers, job titles, salaries, and CID) across multiple FS subsidiaries (e.g., Trenitalia, Rete Ferroviaria Italiana, Mercitalia). The leaked data spans recent fiscal, administrative, and operational documents up to Q3 2025, indicating a fresh compromise. While Almaviva contained the attack and protected critical services, the scale of exposed data covering corporate, employee, customer, and defense-sensitive information poses severe risks for fraud, espionage, and operational disruption.
Ferrovie dello Stato Italiane S.p.A. cybersecurity rating report: https://www.rankiteo.com/company/ferrovie-dello-stato-s-p-a
"id": "FER4392043112125",
"linkid": "ferrovie-dello-stato-s-p-a",
"type": "Breach",
"date": "6/2017",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Millions (annual passengers)',
'industry': 'Transportation/Logistics',
'location': 'Italy',
'name': 'Ferrovie dello Stato Italiane (FS)',
'type': 'State-owned railway operator'},
{'industry': 'Technology/Defense',
'location': 'Italy (global operations)',
'name': 'AlmavivA',
'size': '41,000 employees (7,000 in Italy, 34,000 '
'abroad)',
'type': 'IT and digital services provider'},
{'industry': 'Rail Transport',
'location': 'Italy',
'name': 'Trenitalia',
'type': 'Subsidiary'},
{'industry': 'Rail Infrastructure',
'location': 'Italy',
'name': 'Rete Ferroviaria Italiana (RFI)',
'type': 'Subsidiary'},
{'industry': 'Logistics',
'location': 'Italy',
'name': 'MERCITALIA INTERMODAL S.p.A.',
'type': 'Subsidiary'},
{'industry': 'Retail',
'location': 'Italy',
'name': 'GrandiStazioni Retail',
'type': 'Subsidiary'},
{'industry': 'Defense',
'location': 'Italy',
'name': 'MINISTERO DIFESA (Italian Ministry of '
'Defense)',
'type': 'Government Agency'},
{'industry': 'Defense',
'location': 'Italy',
'name': 'AERONAUTICA MILITARE (Italian Air Force)',
'type': 'Military Branch'},
{'industry': 'Public Security',
'location': 'Italy',
'name': 'General Guardia di Finanza',
'type': 'Law Enforcement'},
{'industry': 'Public Security',
'location': 'Italy',
'name': 'General Command of the Carabinieri',
'type': 'Law Enforcement'},
{'industry': 'Diplomacy',
'location': 'Italy',
'name': 'MINISTRY OF FOREIGN AFFAIRS AND INTERNATIONAL '
'COOPERATION',
'type': 'Government Agency'}],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['Passenger data '
'(passport numbers)',
'Employee data '
'(names, emails, '
'phone numbers, job '
'titles, salaries, '
'CID)'],
'sensitivity_of_data': 'Extremely High (includes PII, defense '
'contracts, trade secrets, and '
'financial records)',
'type_of_data_compromised': ['FSE Investment and Industrial '
'Plans (2017–2035)',
'Internal/confidential documents '
'(marked USO INTERNO, '
'CONFIDENZIALE, ESCLUSIVO)',
'Privileged communications',
'Contracts/agreements (including '
'NDAs and defense-related '
'contracts with MINISTERO '
'DIFESA, AERONAUTICA MILITARE)',
'Project documentation (e.g., '
'Project Venus, Leonardo, SIPAD)',
'Codes and trade secrets',
'Forensic reports',
'Legal/court papers',
'Financial/bank documents',
'Passenger personal data '
'(including passport numbers)',
'Employee data (full names, '
'email addresses, phone numbers, '
'job titles, salaries, CID)',
'Mercitalia client data',
'Priority lists of '
'defense-related supplies',
'Almaviva contracts with '
'clients/suppliers (e.g., '
'Guardia di Finanza, '
'Carabinieri, health '
'authorities)',
'Tender documents',
'Organizational structures '
'(e.g., GENERALI ITALIA S.p.A.)',
'RIF financial documents',
'Technical documents for '
'Almaviva projects',
'Fiscal, administrative, and '
'operational documents (up to Q3 '
'2025)']},
'date_publicly_disclosed': '2025-11-21',
'description': 'Data belonging to Italy’s national railway operator Ferrovie '
'dello Stato Italiane (FS) was leaked after a data breach at '
'IT provider Almaviva. A threat actor claimed the theft of 2.3 '
'TB of sensitive data, including internal documents, '
'contracts, employee/passenger PII, financial records, and '
'defense-related supplies. Almaviva detected and contained the '
'attack, activating security procedures and notifying '
'authorities while keeping critical services operational.',
'impact': {'brand_reputation_impact': 'High (sensitive data leak affecting '
'national railway and defense-related '
'entities)',
'data_compromised': '2.3 TB',
'identity_theft_risk': 'High (passenger PII, employee data, and '
'financial records exposed)',
'operational_impact': 'None (critical services remained fully '
'operational)',
'payment_information_risk': 'High (bank documents and financial '
'data compromised)',
'systems_affected': ['Corporate systems of Almaviva']},
'initial_access_broker': {'high_value_targets': ['Defense contracts',
'Employee/financial data',
'Trade secrets']},
'investigation_status': 'Ongoing (close coordination with authorities; '
'technical details not disclosed)',
'ransomware': {'data_exfiltration': True},
'references': [{'date_accessed': '2025-11-21',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.com'}],
'regulatory_compliance': {'regulatory_notifications': ['Public Prosecutor’s '
'Office',
'Postal Police',
'National Agency for '
'Cybersecurity',
'Italian Data '
'Protection '
'Authority']},
'response': {'communication_strategy': ['Prompt notification to authorities '
'(Public Prosecutor’s Office, Postal '
'Police, National Agency for '
'Cybersecurity, Italian Data '
'Protection Authority)',
'Coordination with partners and '
'stakeholders',
'Public disclosure via company '
'notice'],
'containment_measures': ['Isolation of affected systems',
'Activation of specialized security '
'procedures'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True},
'stakeholder_advisories': 'Authorities, partners, and relevant stakeholders '
'were promptly informed.',
'title': 'Massive data leak hits Italian railway operator Ferrovie dello '
'Stato via Almaviva hack',
'type': ['Data Breach', 'Data Leak', 'Cyberattack']}