Date of incident: November 21, 2025
Affected entity: Ferrovie dello Stato Italiane S.p.A. (FS Italiane Group), Italy’s national state-owned railway holding company, via its IT services provider AlmavivA SpA. BleepingComputer+1
Summary:
On November 21, 2025, it was reported that a threat actor claimed to have stolen around 2.3 terabytes of data tied to FS Italiane Group, following a cybersecurity incident at AlmavivA, which serves as a large IT and digital-services provider for multiple FS group companies. BleepingComputer+2Business Insurance+2
The data reportedly included internal documents, contracts, employee and partner details, and possibly passenger- or logistics-related datasets. Security Affairs+1
What Happened
According to reporting, the incident appears to be an attack on AlmavivA’s corporate systems, which impacted the FS Italiane Group via its service-provider relationship. The attacker claims to have exfiltrated large archives arranged by department and company, indicating broad access across multiple FS group entities. Security Affairs+1
AlmavivA confirmed that its security-monitoring detected and isolated the cyberattack, that some data was stolen, and that services remained operational. BleepingComputer
Impact
- The leaked data reportedly includes confidential internal documents, contracts with public entities, NDAs, technical files, HR archives, accounting data and possibly passenger-personal data (names, emails, job titles) tied to various FS subsidiaries. Security Affairs+1
- The data volume (~2.3 TB) suggests significant breadth of exposure. BleepingComputer+1
- Given FS Italiane Group’s role in passenger and freight transport infrastructure, the event raises concerns about exposure of sensitive logistics, employee and customer information, and potential downstream risk across Italy’s national transport network.
Cause of the Breach
While full forensic details are still under investigation, key contributing factors include:
- A breach of the IT-services provider AlmavivA, rather than FS Italiane Group directly.
- The attacker appears to have gained access to AlmavivA’s systems, allowing exfiltration of data across FS-linked entities.
- The access model (service provider → major infrastructure operator) illustrates third-party supply-chain risk.
- The data appears recent (Q3-2025 documents referenced) suggesting the breach is fresh rather than a legacy leak. Security Affairs+1
Response
- AlmavivA stated that after detecting the intrusion, they isolated the systems, activated incident-response teams and notified Italian authorities (public prosecutor, national cybersecurity agency, data protection authority). Security Affairs+1
- FS Italiane Group has not publicly provided detailed disclosures yet (as of the available reporting).
- Investigations remain ongoing and relevant stakeholders are coordinating monitoring and response efforts. BleepingComputer+1
Significance
This incident highlights several critical issues:
- Infrastructure-critical organizations (national railway operators) are vulnerable not only via direct attack but via their suppliers/service-providers.
- Large exfiltration volumes (~2.3 TB) reflect the scale of potential exposure and downstream risk (employee/partner data, passenger information, contracts, operational plans).
- The event underscores the necessity of strong third-party risk management, vendor oversight, segmentation between service-provider systems and critical operator systems, and robust incident-response readiness.
- In the context of transport infrastructure, any exposure of logistics or system internal data can have ripple effects for cybersecurity, safety, business continuity, and national resilience.
Sources:
- “Hacker claims to steal 2.3 TB data from Italian rail group, Almaviva” — BleepingComputer, Nov 20 2025. BleepingComputer
- “Massive data leak hits Italian railway operator Ferrovie dello Stato via Almaviva hack” — SecurityAffairs, Nov 21 2025. Security Affairs
- “Cyberattack on Italian IT firm exposes 2.3 TB of confidential data” — Business Insurance, Nov 21 2025. Business Insurance