Global IT Provider Breached, Exposing Data of Italy’s National Railway

Imagine trusting your IT security to a major global provider. Then, watching 2.3 terabytes of your company’s secrets appear on the dark web. That’s exactly what happened to Italy’s railway system. A cybercriminal just exposed massive amounts of data from FS Italiane Group by breaching their IT partner.

The attack targeted Almaviva, a major IT and digital services company serving clients worldwide. They provide everything from software development to systems integration and consulting platforms. The attacker didn’t just get in and grab a few files. They claim to have exfiltrated an enormous trove of information and then published it all on a dark web forum.

Fresh Data, Recent Breach – Voids 2022 Speculations

This isn’t old news resurfacing. Head of Cyber Threat Intelligence at D3Lab, Andrea Draghetti, verified the appearance of the compromised data to be recent, as the materials date back to Q3 of 2025. He specifically dismissed speculation connecting these files to the Hive ransomware that happened in 2022. This is something entirely new.

The scope is staggering. According to Draghetti, the materials allegedly in the custody of the bad actor include the multi-company repositories, internal shares, as well as technical documentation. What’s more? Public entities’ contracts are there, accounting data, HR archives, as well as the whole datasets from various FS Group firms are all there too.

Draghetti explained,

“The way the data dump is structured, with compressed archives organized by department or company, is a common tactic used by data brokers and ransomware groups active in 2024-2025.”

This breach is raising dust because of the scale of the entities involved. Almaviva works with over 41,000 employees across approximately 80 locations worldwide. Reportedly, last year’s revenue hit $1.4 billion. FS Italiane is entirely owned by the Italian government and ranks among the nation’s largest industrial enterprises.

The incident underscores a persistent threat to Italian digital assets, coming just months after reports that hackers were selling access to thousands of Italian websites on the dark web. They generate over $18 billion annually through rail, transport, and logistics services.

It mirrors a recent, similar attack pattern where a critical infrastructure provider was compromised: the data breach at Dutch network firm Eurofiber, which also resulted in customer data being exposed on the darknet.

Company Confirms the Attack

Almavia eventually confirmed the breach in statements to local media outlets. Their acknowledgment came with some damage control messaging.

“Our security monitoring services recently detected and contained a cyberattack on our corporate systems, which led to the theft of some data,” Almaviva stated.

The company emphasized that its response was immediate. They activated security and counter-response procedures through specialized teams. They claim to have ensured the protection and full operability of critical services throughout the incident.

Almaviva followed proper protocol by notifying the relevant authorities. Reports reached the law enforcement, the national cybersecurity agency of Italy, as well as the data protection authority. Authorities are now extending a hand to the ongoing investigation in process. The company promised to share further updates as more findings become available.

Passenger Credentials Leaked? Unanswered Questions Remain

Critical information is still missing from the public picture. Nobody knows yet whether passenger information was included in the stolen data. That’s a huge concern for millions of railway customers. It’s also unclear if the breach affected additional Almaviva clients beyond FS Italiane.

BleepingComputer sent follow-up questions seeking these details. As of publication, they hadn’t received any response. The silence on passenger data exposure is particularly troubling given the volume of personal information railway operators typically handle.

In another public statement, Almaviva reiterated that they had isolated the cyberattack quickly. They emphasized that business continuity plans prevented disruptions to operations. “Almaviva immediately activated safety and response procedures through its specialized team for this type of incident, ensuring the protection and full operation of critical services,” the company stated.

This breach highlights a growing vulnerability in our connected infrastructure. When IT providers get compromised, the damage spreads to all their clients. For organizations handling critical national infrastructure like railways, that’s a serious problem. The 2.3 terabytes now floating around the dark web prove just how much damage one successful attack can cause.