Italian hotels breached en masse since June, government confirms – Source: go.theregister.com

Italy’s digital agency (AGID) says a cybercriminal’s claims concerning a spate of data thefts affecting various hotels across the country are genuine.

The miscreant, operating under the alias of mydocs, claims to have gained access to the booking systems used by Italian hotels and stolen thousands of guests’ sensitive ID documents between June and August.

AGID said on Wednesday the total number of affected hotels has risen to ten, a number that could go up further in the coming days.

Across various posts to a cybercrime forum, mydocs claims to have listed nearly 100,000 individual identity documents, including passports and other ID cards.

Cybercriminals often make salacious claims about their nefarious exploits on these kinds of forums, and often they are either inflated, exaggerated, or outright false. 

However, in AGID’s advisory, the government agency said it intercepted an illegal sale of the documents in question, suggesting it was able to verify the authenticity of the data.

It went on to warn the public of scams that could potentially target victims of the breach.

“This data, once stolen, can be used for fraudulent purposes: from creating false documents to opening bank accounts, to social engineering attacks and digital identity theft, with potentially serious consequences for the victims, both financially and legally,” the advisory read (machine translated).

How far the data dates back or how exactly it was accessed remain unanswered questions. However, one affected hotel, the four-star Borghese Contemporary Hotel in Rome, only has 24 beds, yet mydocs claims to have listed more than 7,000 documents, suggesting the scale of the breach is either inflated or covers potentially many years’ worth of visitors.

• That ‘angry guest’ email from Booking.com? It’s a scam, not a 1-star review
• Marriott Hotels admits to third data breach in 4 years
• Hotel check-in terminal bug spews out access codes for guest rooms
• A tale of 2 casino ransomware attacks: One paid out, one did not
• Cyberattack hits Omni Hotels systems, taking out bookings, payments, door locks

Italy’s data protection authority, the GDDP, also issued a statement on Wednesday confirming some hotels had reported themselves due to the attacks.

“The Italian Data Protection Authority recommends that accommodation facilities that have not yet reported any irregularities promptly report any anomalies so that immediate steps can be taken to protect data privacy and, as required by law, notify affected guests of any breaches,” it stated (machine translated).

“Anyone who suspects that their documents may have been unlawfully stolen is also advised to contact the accommodations where they stayed for confirmation.”

The GDDP said it has launched a formal investigation into the thefts. ®