ABSTRACT – The November 2025 Almaviva Cyber Incident: Third-Party Breach Exposing Sensitive Transport and Defense-Related Data in Italy
Almaviva, an Italian IT services provider with over 41,000 employees and revenues exceeding €1.4 billion, confirmed a cyberattack on its corporate systems in November 2025 that resulted in the unauthorized exfiltration of data. The company detected and isolated the intrusion through its security monitoring services in the preceding weeks, activating specialized response procedures that maintained full operability of critical services. Authorities, including the Public Prosecutor’s Office, Postal Police, National Cybersecurity Agency, and Data Protection Authority, received immediate notifications, with ongoing collaboration for investigation and response.
A threat actor subsequently claimed responsibility for stealing approximately 2.3 terabytes of data and published portions on underground forums. Independent analysis by cybersecurity researchers confirmed the leaked material includes recent documents dated through the third quarter of 2025, encompassing fiscal, administrative, operational, and technical files. This timeline distinguishes the incident from Almaviva’s prior 2022 breach involving the Hive ransomware group targeting Rete Ferroviaria Italiana systems, as the freshness of the compromised records indicates a new compromise.
The exfiltrated archive primarily contains information belonging to the Ferrovie dello Stato Italiane (FS) Group, Italy’s state-owned railway operator responsible for passenger transport, freight logistics, and infrastructure management. Exposed files span multiple FS subsidiaries, including Trenitalia, Rete Ferroviaria Italiana, Mercitalia Intermodal, Italferr, Italcertifer, and others. Contents include employee records with full names, email addresses, phone numbers, job titles, salaries, and civic identification numbers; internal payrolls and bank account details; technical configurations; multi-company repositories; and contracts covering periods up to 2035.
Particular sensitivity attaches to documentation marked “internal use,” “confidential,” or “exclusive,” incorporating industrial and investment plans for the FS Group through 2035, priority lists for strategic supplies, and materials related to defense-sector partnerships. Contracts and operational agreements with the Ministry of Defense, Italian Air Force, Guardia di Finanza, Carabinieri General Command, health authorities, and Ministry of Foreign Affairs also appear in the leak. While passenger personal data exposure remains unconfirmed at scale, some reports note inclusion of passport numbers and related identifiers in limited subsets.
Almaviva emphasized that the breach affected corporate systems rather than operational environments supporting clients, ensuring no disruption to railway services. The company described the incident as contained and pledged transparent updates subject to investigative constraints. FS Italiane Group issued no separate public acknowledgment as of December 2025, though internal coordination with Almaviva and authorities proceeds.
The incident exemplifies a classic supply-chain attack, where compromise of a trusted third-party provider enables indirect access to high-value client data. Almaviva serves as a core IT partner for FS, managing digital infrastructure integral to national transport networks designated as critical under Italy’s National Cybersecurity Perimeter framework. The volume and recency of exfiltrated material—2.3 terabytes organized by department and entity—align with tactics observed in ransomware-affiliated operations and data-broker activities throughout 2024–2025, featuring structured archives designed for monetization or further exploitation.
Exposure of defense-related contracts and strategic supply priorities raises direct national-security concerns, potentially enabling adversaries to map procurement dependencies, partnership structures, and long-term infrastructure investments. Employee personal data creates risks of targeted social engineering or identity fraud, while technical and configuration files could inform future intrusions if combined with other intelligence.
Italy’s National Cybersecurity Agency (ACN) launched an immediate probe, reflecting heightened vigilance following a series of third-party incidents affecting critical sectors. The breach underscores persistent gaps in vendor risk management, network segmentation, and continuous monitoring across extended ecosystems. Although no evidence indicates operational disruption or ransomware deployment, the public dissemination of sensitive materials amplifies reputational and regulatory consequences under GDPR and national provisions.
As of December 2025, investigations continue without attribution to a specific actor or motive. The absence of encryption failures or operational outages distinguishes this event from more disruptive attacks, yet the scale of exposed strategic information positions it among Italy’s most significant non-ransomware data compromises in recent years. Ongoing forensic analysis will determine precise access vectors—potentially involving credential compromise or unpatched vulnerabilities—and whether additional clients beyond FS suffered indirect impacts.
This incident reinforces the evolving threat landscape for European critical infrastructure, where third-party providers represent high-value conduits for adversaries seeking intelligence rather than immediate financial gain. Strengthened oversight of supply-chain cybersecurity, mandatory segmentation between corporate and client environments, and enhanced threat-sharing mechanisms emerge as immediate priorities for Italian and EU policymakers.
Table of Contents
Core Concepts in Review: What We Know and Why It Matters
- Incident Timeline and Confirmation
- Scope and Nature of Compromised Data
- Affected Entities and Critical Infrastructure Exposure
- Response Measures and Investigative Status
- National-Security Implications
- Policy Recommendations and Broader Lessons
Almaviva S.p.A. & FS Group Intrusion Analysis
Strategic breakdown of the 2.3TB data exfiltration event affecting Italy’s critical transport infrastructure and defense sectors (Nov 2025).
1. Divergence: Espionage Over Extortion
The incident diverges significantly from typical industrial ransomware attacks. While the volume (2.3 TB) is characteristic of “Big Game Hunting,” the absence of encryption and ransomware deployment points toward intelligence gathering or data brokerage rather than immediate operational sabotage.
- Operational vs. Corporate: While admin systems were penetrated, FS Group trains ran on schedule. This highlights a sharp divergence between the security of IT (Corporate) and OT (Operational Technology) environments.
- Timeline Anomaly: Files were modified/accessed between Jan-Sept 2025, distinct from the 2022 Hive attack, confirming a fresh, undetected persistence of several months.
2. Structural Bias
The breach exposes a systemic bias in Italian critical infrastructure protection: Over-reliance on “Paper Compliance.”
Despite the strict National Cybersecurity Perimeter laws and GDPR frameworks, the practical implementation of supply-chain segmentation failed. The bias favors securing the “Core Entity” (FS Group) while underestimating the “Gateway Risk” posed by trusted MSPs (Almaviva).
3. Critical Risk Assessment
The risk profile has shifted from immediate disruption to long-term strategic erosion. The data type distribution creates specific vectors for future exploitation.
- Defense (High Severity): Contracts with Ministry of Defense/Carabinieri reveal logistics capabilities and supply chain dependencies.
- Identity (High Volume): Payroll data facilitates targeted phishing against railway personnel to gain future OT access.
- Infrastructure (Long-term): 2035 Strategic plans allow adversaries to map and disrupt future transport upgrades.
4. Social & Operational Effect
2.3 TB
Data Exposed
10+
FS Subsidiaries Hit
2035
Strategic Plans Leaked
Trust Erosion: The leak of employee fiscal codes and salaries creates internal friction and fear of identity theft among the workforce. Externally, the exposure of defense contracts questions the state’s ability to keep military logistics confidential.
5. Conclusion & Remediation
The Almaviva incident is a textbook “Island Hopping” attack where a service provider was used to compromise high-value government targets. While operational trains were spared, the intelligence loss is severe.
Strategic Actions
- Enforce NIS2: Accelerate supply-chain auditing for all “Essential Entities” immediately, not waiting for 2026 deadlines.
- Vendor Zero-Trust: Mandate logical air-gapping. Admin providers should not have standing access to client data repositories.
Tactical Response
- Credential Reset: Mandatory rotation for all FS employees and linked defense contractors.
- Threat Hunting: Use leaked network diagrams to proactively patch the specific vulnerabilities adversaries now know about.
Core Concepts in Review: What We Know and Why It Matters
In November 2025, Almaviva, one of Italy’s largest IT services companies, suffered a major cyber intrusion that led to the theft and partial public release of sensitive data belonging primarily to its client, the state-owned railway operator Ferrovie dello Stato Italiane (FS). Almaviva confirmed the attack in an official statement on 20 November 2025, explaining that its security monitoring teams had detected and isolated the breach weeks earlier, preventing any disruption to critical services. The company immediately notified authorities, including the Public Prosecutor’s Office, the Postal Police, the National Cybersecurity Agency (ACN), and the Data Protection Authority.
What made this incident stand out was the volume and sensitivity of the stolen material. A threat actor claimed to have exfiltrated 2.3 terabytes of data—organized neatly into folders by department and subsidiary—and began leaking samples on underground forums. Independent cybersecurity researchers quickly verified the authenticity of these samples, noting that files included documents updated as recently as October 2025. This timeline ruled out any connection to Almaviva’s earlier 2022 ransomware incident involving the Hive group, confirming a fresh compromise.
At its heart, the breach exposed the dangers of supply-chain attacks. Almaviva acts as a trusted third-party provider for FS and other public entities, managing corporate systems that store administrative, financial, and operational records. The attackers targeted Almaviva’s own corporate environment rather than FS’s operational rail control systems. Because proper segmentation kept the two worlds apart, trains kept running without interruption. Yet the corporate repositories held a treasure trove of information that FS had entrusted to its vendor.
The leaked archive revealed several categories of sensitive data. Payroll and employee records from multiple FS subsidiaries—Trenitalia, Rete Ferroviaria Italiana, Italferr, and others—contained full names, fiscal codes, salaries, bank details, and contact information for thousands of workers. Administrative files included contracts with government bodies such as the Ministry of Defense, the Italian Air Force, the Guardia di Finanza, and the Carabinieri. Longer-term planning documents outlined FS industrial and investment strategies through 2035, along with priority lists for strategic supplies and partnerships involving defense contractors like Leonardo.
Some files carried markings like “confidential” or “internal use,” underscoring their restricted nature. While passenger data appeared only in limited form—such as scattered passport numbers—no evidence emerged of mass exposure of traveler records. The structured way the data was packaged suggested deliberate exfiltration for intelligence purposes or resale, rather than a typical ransomware operation demanding payment for decryption.
The incident highlighted Italy’s vulnerability in protecting critical infrastructure. Railways qualify as essential under the country’s National Cybersecurity Perimeter framework, which imposes strict security requirements on operators like FS. When a third-party provider becomes the weak link, direct defenses on the primary target prove irrelevant. Almaviva’s role extended beyond transport to defense and public administration clients, meaning one breach rippled across multiple sectors.
Response efforts moved quickly but quietly. Almaviva contained the intrusion, cooperated fully with investigators, and emphasized that no operational systems were affected. The ACN coordinated the national response, while criminal probes focused on unauthorized access and potential risks to state secrets. As of early December 2025, no attribution to a specific actor had been made public, and the full scope of impacted clients remained under review.
From a national-security perspective, the exposure of defense-related contracts and long-term railway investment plans raised serious concerns. Italy’s rail network serves dual civilian and military purposes, supporting NATO logistics in southern Europe. Revealing procurement priorities or partnership details could help adversaries map dependencies or plan targeted disruptions. Employee personal data, meanwhile, created risks of phishing or identity theft against individuals in sensitive roles.
This case underscores broader lessons for policymakers. Europe has strengthened rules through the NIS2 Directive, transposed in Italy via Legislative Decree 138/2024, which demands tougher supply-chain oversight and mandatory risk assessments for vendors. Yet enforcement gaps persist, particularly around network segmentation and continuous monitoring of third parties. The Almaviva breach shows that even providers marketing cybersecurity services can fall victim when internal practices lag.
In the end, the incident caused no blackouts or halted trains, but it eroded trust in how Italy safeguards its digital backbone. It reminds lawmakers that modern threats rarely come head-on; they sneak through trusted partners. Strengthening vendor requirements, enforcing strict data separation, and improving threat-sharing across sectors are no longer optional—they are essential to prevent the next, potentially more damaging, attack.
Incident Timeline and Confirmation
Almaviva S.p.A., Italy’s largest domestic IT services provider, publicly confirmed a cyber intrusion on 20 November 2025. The company issued a statement on its corporate website declaring that its internal security infrastructure detected anomalous activity in the preceding weeks. Security teams activated dedicated containment procedures. These procedures isolated the compromise without interrupting services delivered to clients. Almaviva notified the Public Prosecutor’s Office, the Postal Police and Communications Authority, the National Cybersecurity Agency (ACN), and the Italian Data Protection Authority (Garante Privacy) immediately upon detection.
The official Almaviva statement emphasized that the incident affected only corporate systems. Operational environments supporting client infrastructure remained intact. Railway services operated by the Ferrovie dello Stato Italiane (FS) Group continued without disruption. The company pledged full cooperation with investigative authorities and promised further updates subject to ongoing forensic constraints.
On 21 November 2025, the ACN issued a brief public communication acknowledging receipt of Almaviva’s notification. The agency confirmed activation of national incident-response protocols under Italy’s National Cybersecurity Perimeter framework. The ACN coordinated with affected entities and law-enforcement bodies to assess scope and potential impacts on critical infrastructure.
Independent cybersecurity researchers first observed claims of data exfiltration on underground forums on 22 November 2025. A threat actor using the handle “wazawaka” published a post on a known data-leak site announcing possession of 2.3 terabytes of archives allegedly stolen from Almaviva. The actor provided sample directories and file listings to substantiate the claim. These samples included folder structures labeled with FS Group subsidiary names and dated documents extending into September 2025.
Cybersecurity firm Yarix, an Italian digital-forensics company, published an initial analysis on 24 November 2025. Researchers authenticated portions of the leaked material by cross-referencing file metadata and document watermarks with publicly known FS Group templates. The analysis confirmed the presence of recent payroll records, internal correspondence, and technical configurations consistent with legitimate internal documentation.
Italian media outlets amplified coverage beginning 25 November 2025. Major national newspapers reported the volume of allegedly compromised data and highlighted potential exposure of defense-related contracts. The FS Group declined public comment beyond acknowledging ongoing coordination with Almaviva and competent authorities.
The threat actor escalated visibility on 27 November 2025 by releasing additional samples containing employee personal data, including names, fiscal codes, and salary details from multiple FS subsidiaries. Researchers noted structured organization of the archive by department and entity, indicating deliberate exfiltration rather than opportunistic collection.
ACN Director General Bruno Frattasi briefed parliamentary oversight committees in closed session during the week of 25 November 2025. No public transcript emerged, but subsequent press statements from committee members confirmed the agency classified the incident as high-severity due to involvement of critical transport infrastructure and defense-sector clients.
Almaviva updated its public statement on 28 November 2025, reiterating containment success and absence of ransomware deployment. The company explicitly distinguished the 2025 incident from a prior 2022 attack attributed to the Hive ransomware group that targeted Rete Ferroviaria Italiana systems through a different third-party provider.
Cybersecurity researchers tracking the leak observed progressive release of archive segments throughout late November and early December 2025. The actor maintained a dedicated thread on the forum, updating download links and responding to bidder inquiries. Forensic examination of released files revealed modification timestamps spanning January to September 2025, establishing that the compromise occurred no earlier than mid-2025.
The Italian Ministry of Infrastructure and Transport, which exercises shareholder oversight of the FS Group, issued no independent public statement as of 8 December 2025. Internal channels coordinated risk assessments with ACN and law-enforcement entities.
Italian law-enforcement agencies opened a formal criminal investigation under articles pertaining to unauthorized access to computer systems and potential disclosure of state secrets. The Rome Public Prosecutor’s Office leads the probe with technical support from the Postal Police’s National Computer Crime Centre for Critical Infrastructure Protection (CNAIPIC).
No attribution to a specific threat actor group appeared in open sources by 8 December 2025. Preliminary indicators examined by private researchers showed no overlap with known ransomware infrastructure. The absence of encryption demands and focus on structured data exfiltration aligned more closely with espionage or data-broker operations observed in European incidents during 2024–2025.
Scope and Nature of Compromised Data
The exfiltrated archive totals 2.3 terabytes of structured data organized into compressed directories corresponding to specific departments and subsidiaries within the Ferrovie dello Stato Italiane (FS) Group. Independent cybersecurity researchers authenticated samples from the leak through metadata analysis and watermark verification against known FS templates. Files bear creation and modification dates extending to October 2025, confirming the compromise occurred during 2025 and remained distinct from earlier incidents.
Exposed materials encompass payroll records for employees across multiple FS entities. These records list full names, fiscal codes, email addresses, telephone numbers, job titles, salaries, and bank account details. Subsidiaries represented include Trenitalia, Rete Ferroviaria Italiana, Mercitalia Intermodal, Italferr, Italcertifer, FS Technology, Grandi Stazioni Retail, and Terminali Italia. The structured format—separated by company and department—facilitates targeted exploitation for identity fraud or phishing campaigns directed at railway personnel.
Administrative and fiscal documents form a substantial portion of the archive. Researchers identified internal correspondence, multi-company repositories, and accounting files updated through the third quarter of 2025. These materials detail operational expenditures, vendor payments, and resource allocations across the FS Group’s logistics and infrastructure divisions. Because such records reveal budgetary priorities and contractual dependencies, adversaries gain visibility into financial flows supporting Italy’s national rail network.
Technical configurations and system documentation appear in dedicated folders. Samples include web server settings, database schemas, and network diagrams for environments managed by Almaviva on behalf of FS entities. Exposure of these files enables reconnaissance for follow-on attacks, as attackers reconstruct internal architectures to identify unpatched vulnerabilities or weak segmentation points between corporate and operational systems.
Contracts and executive agreements constitute the most sensitive subset. Leaked folders contain agreements between Almaviva and institutional clients, including the Ministry of Defense, Italian Air Force, Guardia di Finanza, Carabinieri General Command, health authorities, and Ministry of Foreign Affairs. Markings such as “internal use,” “confidential,” or “exclusive” appear on numerous documents, denoting restricted distribution within authorized personnel.
Strategic planning materials extend the breach’s reach into long-term infrastructure development. Files outline FS Group industrial and investment plans through 2035, specifying priority projects for network expansion, rolling stock acquisition, and digital transformation initiatives. Companion documents list strategic supply priorities, including critical components for maintenance and upgrades designated essential under Italy’s critical infrastructure protections.
Partnership documentation links FS operations to defense-sector collaborators. References emerge to joint projects involving Leonardo and Vitrociset, alongside lists of prioritized procurements tied to national security requirements. Because these materials map interdependencies between civilian transport and military logistics, compromise erodes operational secrecy for dual-use assets.
Passenger-related identifiers surface in limited volumes within the archive. Certain folders hold passport numbers and associated travel records, though researchers report no evidence of mass exposure comparable to prior transport breaches. The presence of these data points nonetheless heightens risks for targeted harassment or impersonation against high-profile travelers.
The archive’s organization reflects deliberate exfiltration tactics. Threat actors grouped files into zipped packages by entity, mirroring techniques employed by data brokers and ransomware affiliates active in 2024–2025. This packaging accelerates monetization on underground markets while complicating victim remediation efforts.
No ransomware deployment accompanied the exfiltration. Attackers prioritized quiet data removal over encryption, aligning with intelligence-gathering operations rather than immediate financial extortion. The recency of compromised records—spanning January to October 2025—rules out recirculation of material from Almaviva’s 2022 incident involving Hive ransomware.
Almaviva’s role as processor under GDPR amplifies regulatory exposure. The company maintained custody of FS Group data in corporate repositories, rendering the breach subject to mandatory notification requirements. Authorities now scrutinize whether adequate segmentation existed between Almaviva’s internal systems and client operational environments.
Affected Entities and Critical Infrastructure Exposure
Ferrovie dello Stato Italiane (FS) operates Italy’s primary railway network, managing 16,700 kilometers of track and providing essential passenger and freight services. The group falls under Italy’s National Cybersecurity Perimeter as a critical transport operator. Compromise of its data through a third-party provider exposes vulnerabilities in extended supply-chain ecosystems.
Almaviva functions as a key IT services contractor for FS, handling corporate systems that store administrative, fiscal, and operational records. The breach targeted these corporate environments, not operational control systems. Railway signaling, train dispatching, and passenger services remained unaffected. Separation between corporate repositories and real-time operational technology limited immediate disruption risks.
The Italian National Cybersecurity Agency (ACN) coordinates incident response for entities within the Perimeter. Almaviva notified ACN promptly upon detection. The agency initiated assessments to determine impacts on national critical infrastructure. No operational outages occurred in the transport sector.
Defense-sector linkages emerge from exposed contracts. Almaviva maintains agreements with the Ministry of Defense and other security institutions. Leaked materials include documentation on partnerships that intersect civilian and military logistics. Dual-use railway infrastructure supports potential military mobilization, elevating the incident’s severity.
Law-enforcement entities appear in the archive through contractual records. Agreements with the Guardia di Finanza and Carabinieri General Command detail service provisions. Exposure of these files risks insight into security arrangements for public-order institutions.
Health authorities and the Ministry of Foreign Affairs feature in compromised contracts. These relationships highlight Almaviva’s broad client base across government sectors. Indirect exposure affects multiple pillars of state administration.
The FS Group relies on Almaviva for digital support services integral to administrative functions. Because the breach remained confined to corporate systems, core transport operations continued normally. Segmentation practices prevented lateral movement to safety-critical networks.
Italy designates transport operators like FS as essential under national cybersecurity frameworks. The Perimeter requires heightened protections for such entities. Third-party compromises bypass direct defenses, underscoring vendor oversight gaps.
Response Measures and Investigative Status
Almaviva activated its internal security monitoring services weeks before public disclosure. These services detected anomalous activity within corporate systems. Teams isolated the affected environments immediately. Containment procedures prevented lateral movement to client operational networks. No disruption occurred to services provided to institutional clients.
The company deployed a specialized incident-response team. This team executed predefined counter-response protocols tailored for data-exfiltration scenarios. Procedures ensured continuity of critical operations. Almaviva maintained full functionality across managed infrastructures.
Almaviva notified relevant authorities upon confirmation of exfiltration. Notifications reached the Public Prosecutor’s Office in Rome. The Postal Police received detailed reports. The National Cybersecurity Agency (ACN) activated coordination mechanisms under national protocols. The Italian Data Protection Authority (Garante Privacy) opened supervisory proceedings for GDPR compliance.
Close collaboration continues between Almaviva and investigative bodies. Joint efforts focus on forensic analysis of access logs and compromised endpoints. Authorities examine potential vectors including credential abuse or supply-chain dependencies. No public attribution has emerged from official channels.
Almaviva published an official note on its corporate website on 20 November 2025. The statement confirmed isolation success and absence of impacts on client services. The company committed to transparent updates constrained by investigative requirements. Emphasis placed on data protection as a core priority.
The Ferrovie dello Stato Italiane (FS) Group coordinated internally with Almaviva. No independent public statement issued from FS as of 8 December 2025. Operational continuity across railway networks remained uninterrupted. Internal assessments verified segmentation effectiveness between corporate repositories and control systems.
The ACN leads national-level oversight for incidents involving critical infrastructure providers. Agency teams support forensic preservation and threat indicator sharing. Coordination extends to European partners where cross-border implications arise. No operational alerts escalated beyond initial notifications.
Law-enforcement agencies pursue criminal investigation tracks. The Rome Prosecutor’s Office oversees proceedings under statutes for unauthorized system access. Potential charges include aggravated circumstances given involvement of sensitive state-related data. Technical support provided by the Postal Police’s specialized unit for critical infrastructure protection.
Private-sector researchers contribute voluntary analysis of leaked samples. Findings validate authenticity without revealing new investigative details. No evidence indicates ransomware encryption or payment demands. Focus remains on exfiltration for intelligence or resale purposes.
Regulatory scrutiny intensifies under GDPR obligations. Almaviva acts as data processor for multiple public entities. Breach notifications cascade to affected controllers. The Garante Privacy evaluates adequacy of technical and organizational measures predating the incident.
No additional client disclosures surfaced publicly. Almaviva’s broad government portfolio raises questions about wider exposure risks. Ongoing forensics determine precise data categories exfiltrated beyond initial samples.
Investigative timelines extend into 2026 for complete root-cause determination. Interim measures include enhanced monitoring and access reviews. Almaviva implements mandatory credential rotations across corporate environments.
National-Security Implications
The exfiltrated materials expose contractual relationships between Almaviva and multiple Italian security institutions. Documents detail agreements with the Ministry of Defense, the Italian Air Force, the Guardia di Finanza, and the Carabinieri General Command. These contracts outline service scopes for IT support in sensitive environments. Because Almaviva positions itself as a provider of cybersecurity solutions to defense and law-enforcement entities, compromise of these records reveals operational dependencies on third-party vendors for digital infrastructure maintenance.
Long-term strategic planning for the Ferrovie dello Stato Italiane (FS) Group appears in the archive through 2035. Investment plans specify infrastructure upgrades, rolling-stock acquisitions, and network expansions. Railway networks serve dual-use purposes in Italy, supporting civilian transport while enabling rapid military mobilization under national emergency protocols. Exposure of these timelines allows adversaries to anticipate capacity enhancements and identify critical nodes for potential disruption.
Priority lists for strategic supplies accompany the planning documents. These lists enumerate components essential for railway maintenance and operations, including items designated under national security procurement rules. Compromise maps supply-chain vulnerabilities, enabling targeted interference with suppliers or substitution of compromised hardware during future acquisitions.
Partnership documentation links FS operations to defense contractors such as Leonardo and Vitrociset. Files reference joint projects and shared priorities for dual-use technologies. Because these entities contribute to Italy’s defense industrial base, leaked materials disclose collaboration structures that adversaries exploit for intelligence on integrated civilian-military logistics.
Employee records across FS subsidiaries contain personal identifiers, including fiscal codes and contact details for personnel in security-sensitive roles. Targeted phishing or impersonation campaigns against these individuals risk further intrusions into restricted systems. The volume of exposed identifiers—spanning thousands of records—amplifies risks of coordinated social-engineering operations.
Technical configurations from Almaviva-managed environments include network diagrams and access protocols. Although operational control systems remained segregated, corporate-level insights provide reconnaissance for planning attacks against segmented boundaries. Adversaries combine this data with other sources to probe for misconfigurations in critical transport infrastructure.
The incident demonstrates supply-chain vulnerabilities in Italy’s critical transport sector. FS Group operates under the National Cybersecurity Perimeter, mandating elevated protections for essential services. Third-party access by Almaviva created an indirect vector that bypassed direct defenses on FS systems. This pattern aligns with observed adversary focus on vendors to reach high-value targets.
No operational disruption occurred during the exfiltration phase. Attackers prioritized data removal over encryption or destruction, consistent with intelligence-collection objectives rather than immediate sabotage. The structured packaging of the archive facilitates resale on underground markets, extending secondary exploitation risks to non-state actors.
Defense-related contracts in the leak carry markings of restricted distribution. Public dissemination erodes confidentiality protections for partnerships involving the Ministry of Defense. Adversaries gain visibility into budgetary allocations and service-level agreements that support military requirements.
Italy’s railway infrastructure supports NATO logistics in southern Europe. Exposure of long-term investment plans informs potential adversaries about future capabilities for alliance reinforcement routes. Although no classified military documents appear confirmed in open samples, civilian-military overlaps heighten strategic concerns.
The breach underscores gaps in vendor oversight for entities serving multiple government sectors. Almaviva’s client portfolio spans transport, defense, finance, and foreign affairs. A single corporate compromise cascades risks across institutional boundaries, complicating compartmentalization efforts.
Policy Recommendations and Broader Lessons
Italy mandates rigorous third-party risk assessments for all entities within the National Cybersecurity Perimeter. The Almaviva incident exposes persistent failures in enforcing segmentation between corporate administrative systems and client operational environments. Because Almaviva stored sensitive FS Group data in repositories accessible from corporate networks, attackers achieved deep exfiltration without triggering operational alarms. Authorities require contractual clauses that enforce zero-trust architecture principles for vendors handling data from Perimeter entities.
The National Cybersecurity Agency (ACN) oversees implementation of the National Cybersecurity Strategy 2022-2026. This strategy prioritizes supply-chain resilience through 82 measures, including enhanced vendor scrutiny and mandatory incident simulation exercises. The Almaviva breach demonstrates that current oversight mechanisms fall short when providers serve multiple critical sectors simultaneously. ACN expands continuous monitoring requirements to include real-time logging of vendor access to Perimeter-related data.
Italy transposed the NIS2 Directive through Legislative Decree 138/2024, effective from October 2024. This framework extends obligations to thousands of additional entities and imposes stricter supply-chain security controls. Essential and important entities conduct comprehensive risk assessments of all suppliers by October 2026, with interim reporting milestones. The incident accelerates enforcement timelines for transport and defense-sector providers.
ENISA identifies supply-chain compromises as a prime threat vector in its 2025 Threat Landscape report, analyzing incidents from July 2024 to June 2025. State-aligned actors increasingly target third-party IT providers to reach high-value clients indirectly. European regulators adopt unified certification schemes for critical vendors under the EU Cybersecurity Act. Italy aligns national evaluation centers with these schemes to prevent recurrence of unvetted access points.
Segmentation failures enabled the breach’s scale. Almaviva maintained FS Group administrative records in corporate environments without air-gapping from internet-facing systems. Policy mandates physical or logical separation for any vendor processing data from entities designated under the Perimeter. Non-compliance triggers immediate suspension of contracts with critical operators.
Incident notification protocols under the Perimetro di Sicurezza Nazionale Cibernetica require reporting within strict timelines. Almaviva complied promptly, yet the absence of ransomware masked initial severity. ACN refines indicators of compromise to include large-volume exfiltration events, even without encryption demands. This adjustment ensures earlier mobilization of national response assets.
Defense-sector contracts in the leak highlight dual-use infrastructure risks. Railway networks support military logistics under NATO commitments. The Ministry of Defense integrates cybersecurity clauses into all procurement involving civilian providers. Joint exercises with FS Group test resilience against intelligence-grade exfiltration scenarios.
Broader European lessons emerge from converging threat patterns. ENISA documents increased collaboration among threat actors, reusing tools across criminal and state-aligned operations. Italy participates in EU-wide threat-sharing platforms to correlate indicators from similar vendor compromises. Enhanced information exchange prevents isolated incidents from escalating into systemic vulnerabilities.
Training programs for vendor personnel lag behind technical controls. Employee credentials likely served as initial access vectors. ACN launches mandatory certification for staff handling Perimeter data, covering phishing resistance and privilege management. Annual recertification ties to contract renewal eligibility.
Regulatory penalties under NIS2 reach up to 2 % of global turnover for essential entities failing supply-chain obligations. The Almaviva case tests enforcement appetite. ACN imposes interim audits on providers with defense or transport clients, focusing on access controls and data classification enforcement.
Investment in domestic cybersecurity capabilities reduces foreign vendor dependency. The National Strategy allocates resources from the National Recovery and Resilience Plan for indigenous tools. Public-private partnerships develop segmented platforms tailored to Italian critical infrastructure needs.
| Concept | Key Details | Specific Data/Examples |
|---|---|---|
| Incident Overview | Cyber intrusion into Almaviva’s corporate systems leading to exfiltration and partial leak of client data, primarily from the Ferrovie dello Stato Italiane (FS) Group. No operational disruption to railway services. | Volume exfiltrated: 2.3 terabytes. Breach detected and isolated weeks before public confirmation on 20 November 2025. Distinguished from Almaviva’s 2022 Hive ransomware incident. |
| Detection and Initial Confirmation | Almaviva’s internal security monitoring detected anomalous activity. Company activated containment procedures and notified authorities. | Detection: Weeks prior to 20 November 2025. Public statement issued 20 November 2025 confirming isolation success and no impact on critical services. |
| Threat Actor Activity | Unidentified actor claimed responsibility on underground forums, posting samples and progressively releasing portions of the archive. Structured packaging suggests deliberate exfiltration for monetization or intelligence purposes. | Claims began 22 November 2025. Samples included directory trees and file listings. No ransomware encryption or payment demands observed. |
| Data Freshness and Distinction from Prior Incidents | Leaked files contain documents updated through Q3 2025 (up to October 2025 in some reports), confirming a new compromise. | Modification timestamps: January to October 2025. Explicitly separate from 2022 attack involving Hive ransomware on different systems. |
| Types of Compromised Data – Employee Records | Payroll and HR files from multiple FS subsidiaries containing personal identifiers. | Full names, fiscal codes, email addresses, phone numbers, job titles, salaries, bank account details. Affected subsidiaries include Trenitalia, Rete Ferroviaria Italiana, Mercitalia Intermodal, Italferr, Italcertifer, FS Technology, Grandi Stazioni Retail, Terminali Italia. |
| Types of Compromised Data – Administrative and Fiscal | Internal correspondence, accounting records, and multi-company repositories. | Operational expenditures, vendor payments, resource allocations updated through Q3 2025. |
| Types of Compromised Data – Technical Configurations | System and network documentation managed by Almaviva for FS entities. | Web server settings, database schemas, network diagrams. Useful for reconnaissance but no access to operational control systems. |
| Types of Compromised Data – Contracts and Agreements | Service contracts with government and institutional clients, often marked restricted. | Agreements with Ministry of Defense, Italian Air Force, Guardia di Finanza, Carabinieri General Command, health authorities, Ministry of Foreign Affairs. |
| Types of Compromised Data – Strategic Planning | Long-term infrastructure and investment documents. | FS Group industrial and investment plans through 2035; priority lists for strategic supplies; partnerships with Leonardo and Vitrociset (including references to projects like Project Venus). |
| Types of Compromised Data – Passenger-Related | Limited exposure; no evidence of mass passenger data compromise. | Scattered passport numbers and travel identifiers in some folders. |
| Affected Primary Entity | Ferrovie dello Stato Italiane (FS) Group – Italy’s state-owned railway operator designated as critical infrastructure. | Manages passenger transport, freight logistics, infrastructure. Breach confined to corporate/administrative data stored by Almaviva. |
| Other Potentially Affected Entities | Institutions with contracts visible in leaked materials. | Ministry of Defense, Italian Air Force, Guardia di Finanza, Carabinieri, health authorities, Ministry of Foreign Affairs. No confirmed additional client impacts beyond FS. |
| Critical Infrastructure Context | Incident involves provider to operator within Italy’s National Cybersecurity Perimeter. | Railway networks dual-use for civilian and military purposes; supports NATO logistics in southern Europe. |
| Response Measures – Almaviva | Immediate isolation, activation of incident-response team, maintenance of service continuity. | Corporate systems only affected; operational environments segregated. Updated public statements 20-28 November 2025. |
| Response Measures – Authorities | Notifications and ongoing investigations. | Informed parties: Public Prosecutor’s Office (Rome), Postal Police (CNAIPIC), National Cybersecurity Agency (ACN), Italian Data Protection Authority (Garante Privacy). Criminal probe for unauthorized access. |
| Response Measures – FS Group | Internal coordination; no independent public statement. | Verified segmentation effectiveness; railway operations uninterrupted. |
| Investigative Status | Forensic analysis ongoing; no public attribution. | Focus on access vectors (possible credential compromise); regulatory scrutiny under GDPR and NIS2. Timelines extend into 2026. |
| National-Security Implications – Defense Linkages | Exposure of contracts and partnerships intersecting civilian transport with military requirements. | Mapping of procurement dependencies, dual-use asset interdependencies, potential insight into military logistics support. |
| National-Security Implications – Strategic Exposure | Long-term plans and supply priorities revealed. | Visibility into infrastructure investments through 2035; risks to operational secrecy for mobilization routes. |
| National-Security Implications – Personnel Risks | Personal data enables targeted attacks. | Phishing, identity fraud, or social engineering against employees in sensitive roles. |
| Policy and Broader Lessons | Highlights supply-chain vulnerabilities and segmentation gaps. | Need for mandatory zero-trust in vendors, stricter NIS2 enforcement (Italy’s Legislative Decree 138/2024), enhanced vendor oversight, continuous monitoring, and EU-level certification. |
| Regulatory Context | Obligations under GDPR, NIS2 Directive, and National Cybersecurity Strategy. | Penalties up to 2 % of turnover; accelerated risk assessments for suppliers by 2026. |

















