News

2.3TB of FS Italiane Data Exposed After Cyberattack on IT Provider Almaviva

Share this:

A major data breach has exposed extensive internal information belonging to Italy’s national railway operator, the FS Italiane Group, following a cyberattack on its IT services provider, Almaviva.

The incident came to light after a threat actor claimed to have stolen 2.3 terabytes of corporate data and published it on a dark web forum.

According to the attacker’s description, the leaked files contain confidential documents, internal repositories, technical materials, HR archives, financial data, and datasets related to multiple companies within the FS Group.

The scale and structure of the data dump resemble the techniques commonly used by ransomware gangs and data brokers active across 2024 and 2025.

Cyber intelligence expert Andrea Draghetti of D3Lab confirmed that the leaked material is recent, including documents from the third quarter of 2025, ruling out any connection to Almaviva’s previous Hive ransomware incident in 2022.

Almaviva is one of Italy’s largest IT and digital transformation providers, employing more than 41,000 staff across nearly 80 offices worldwide and reporting over $1.4 billion in annual revenue.

The company supports a broad range of sectors, including public administration, transportation, and logistics making it a significant supplier to FS Italiane.

FS Italiane, a state-owned entity generating over $18 billion annually, is responsible for railway infrastructure, passenger and freight services, and a large portion of the country’s transport logistics. A breach affecting its data raises serious concerns about national-level exposure.

While initial press requests went unanswered, Almaviva later issued a statement confirming the cyberattack. The company reported that its security monitoring system had detected and isolated the intrusion, which resulted in the theft of “some data.”

Almaviva stated that specialised response teams were immediately mobilised to secure affected systems and ensure the continued operation of critical services.

The company has notified law enforcement, Italy’s national cybersecurity agency, and the country’s data protection authority. An investigation is ongoing with support from government bodies.

Almaviva pledged full transparency as more details become available.

Source: Bleepingcomputer

Hackwarn Analysis: Why Did This Hack Succeed?

The huge data leak occurred because several things went wrong simultaneously. Here’s the easy breakdown:

1. Hackers targeted the “supplier,” not the railway company

Instead of hacking the railway company (FS Italiane) directly, the attackers broke into Almaviva, the IT company that manages systems for many organisations.

This is like breaking into the building contractor instead of the house. By hacking one major IT provider, attackers can reach many clients simultaneously.

2. Almaviva’s systems are huge and complicated

Almaviva has 41,000 staff and dozens of offices. Big companies like this have:

  • Many servers
  • Many storage systems
  • Many types of data

Big networks = more ways for hackers to get in.

3. Attackers likely found weak spots or old systems

The exact weakness isn’t public yet, but based on the leaked files, hackers probably used:

  • Outdated systems
  • Weak security settings
  • Stolen passwords
  • Misconfigured servers

Once they got in, they moved around inside the network easily.

4. Hackers stole data quietly for a long time

The leak is 2.3 terabytes that’s massive. This means hackers were inside the system long before anyone noticed. Monitoring tools spotted the attack, but only after the data had already been taken.

5. Different departments kept data in shared places

The leaked data includes files from:

  • HR
  • Finance
  • Technical teams
  • Multiple FS Group companies

This suggests not enough “walls” existed between departments inside the system, allowing hackers to roam freely.

6. No ransom demand = they wanted the data itself

This looks less like a typical ransomware attack and more like:

  • A data-stealing group
  • cybercrime broker
  • spy-style operation

These attackers want information, not ransom money.

Immediate Action: What You Need To Do?

Even if you are not directly involved with FS Italiane or Almaviva, this leak shows how easily big organisations can be hit. Here’s what everyone should do:

1. Be alert for scams pretending to be FS, train companies, or government

With so much data leaked, scammers may try:

  • Fake emails
  • Fake invoices
  • Fake SMS notifications
  • Fake “customer service” calls

Be extra careful with unexpected messages. Read our post on how to check a scam website here.

2. Change your passwords if you use FS or related services

If you have accounts related to:

  • Railway services
  • Customer portals
  • Apps or online services
  • Change your password and enable two-factor authentication (2FA).

3. Watch out for unusual activity

Look for:

  • Unknown login attempts
  • Suspicious emails
  • Messages asking for personal info

If anything seems off, quickly delete, block, or report it.

4. Update your devices and apps

Cyberattacks often happen because of outdated systems.

Make sure your:

  • Phone
  • Laptop
  • Apps
  • Router are all updated.

5. Businesses: Check your vendors

If your company works with large IT suppliers (like Almaviva), ask them:

  • Did this incident affect us too?
  • What steps have been taken to secure systems?
  • Do we need to change passwords or restrict access?

Supply chain attacks spread quickly.

6. Stay informed

This case will continue developing, and more leaked data may appear. Keep following updates to know whether:

  • Your data is involved
  • New scams start circulating
  • New safety steps are recommended
Share this:

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *