Trenitalia, hacker attack: data of some customers related to tickets exposed

Trenitalia has begun contacting a portion of its customer base via email to report a cybersecurity incident. The company, part of the Ferrovie dello Stato Italiane Group, speaks of an unauthorized access attributed to "unidentified external individuals," which involved some personal data linked to travel tickets.

In its communication, the company immediately clarifies the scope of the intrusion. Access to account data, personal credentials, and payment information—such as card number, expiration date, and security code—are not involved in the breach. This point is what Trenitalia emphasizes the most, in an attempt to contain alarm among users.

Potentially exposed are the data related to the ticket, and not all of it necessarily pertains to every recipient. The company refers to information that may have been subject to access "if present" in its systems related to the travel title. The list provided includes the passenger's first name, last name, date, and place of birth, as well as the details of the purchaser when different from the traveler. Contact data, namely email address and phone number, are also included.

The list continues with information associated with the journey: route, date and time of travel, ticket number. It can also include the loyalty card code linked to the ticket, the employer entity or company, the type of offer or service subscribed, and the data to take advantage of it. In some cases, the details of the identity document and technical information related to the generation of the travel title are also included.

Hacker attack on Trenitalia: it’s official
The scenario that emerges is not about a single isolated field but rather a set that intersects identity, contacts, and travel habits. It is precisely this combination that weighs heavier than the payment data, excluded from the breach: name and document rarely change over time, unlike a card that can be blocked and reissued. For those managing work trips, the reference to the employer adds a level of sensitive context.

Trenitalia justifies the delay in notification with the complexity of the checks. To accurately identify the users truly affected, the company explains, it was necessary to meticulously reconstruct the improper accesses to the systems. This task was entrusted to internal IT teams and required time before being able to send communications to the directly concerned parties.

This move responds to Article 34 of the EU Regulation 2016/679, the GDPR, which requires informing those involved when a breach poses a high risk to their rights. The company also cites the EDPB guidelines 9/2022, in its updated version from March 2023, as a reference for the procedure followed.

On the institutional front, the company declares that it has notified the incident to the Data Protection Authority and the Csirt Italy, the structure of the National Cybersecurity Agency that coordinates incident responses. Trenitalia has also filed a complaint with the Rome Public Prosecutor's Office, thus opening a judicial front as well.

It remains to clarify the actual extent of the breach, as the company has not communicated the number of affected customers or the time window of the attack. The targeted email communication, directed only to users deemed involved, suggests a circumscribed perimeter, but without official figures, any estimates remain premature.

Those who receive the email would do well to treat any subsequent messages regarding the incident with skepticism. The combination of name, contacts, and travel details is ideal material for targeted phishing attempts, even in the absence of banking data or passwords: an attacker who knows the route, time, and ticket number can craft very credible communications, perhaps posing as Trenitalia itself.

It is better to be wary of links and requests for credentials and to always verify through official channels.