The Privacy Authority Punishes WindTre for the 2025 Data Breach, Involving Data of Over 365,000 Customers
The Authority for the protection of personal data has imposed a fine of €1,715,600 on Wind Tre for serious security deficiencies that allowed hackers to breach corporate systems on two separate occasions. The exfiltration involved the personal data of over 365,000 customers.
For a portion of these, specifically 41,359 users, the damage is deeper: attackers also stole information related to payment methods, including postal receipts, IBAN, partially masked credit card numbers, and the associated expiration dates.
The investigation by the Authority stems from the two data breaches reported by Wind Tre itself in February 2025. Investigations reconstructed the dynamics of the attack: cybercriminals posed as technicians and managed to convince operators at two retail locations to grant access to corporate systems. From there, it was a short step to the exfiltration of customers' personal and contact data.
Vulnerabilities Identified by the Authority that Allowed the Data Breaches
At the heart of the complaints are the management methods of access credentials and digital certificates, deemed inadequate to contain an attack primarily based on social engineering techniques. The Authority also noted that the security checks conducted internally by Wind Tre were not sufficient to intercept vulnerabilities that more in-depth assessments would have identified.
Based on these elements, the Authority confirmed the violation of the principles of integrity and confidentiality of data provided for by the GDPR, in addition to the general security obligations for data processing. Wind Tre must now strengthen the protection systems for credentials and digital certificates, introduce secure tools for password management, and review internal cybersecurity procedures to prevent similar incidents from recurring.
In calculating the amount of the fine, the Authority considered several mitigating factors: the timeliness with which Wind Tre reported the incident, the corrective measures implemented immediately after the attack, and the cooperation provided by the telecom operator during the investigation. These circumstances reduced the amount of the fine, although they did not exclude the company's responsibility for the structural gaps identified in its systems.
This case confirms a recurring problem in the Italian telecommunications sector: the weak point is almost never the technology itself, as we have said many times, but the human factor. It only takes a few operators convinced to trust a fake technician to open a breach capable of exposing the information of hundreds of thousands of people, including the most sensitive information related to payments.