Cyber Incident Victim: Associazione Bancaria Italiana
Date:
Feb 2022
Location:
Italy
Summary
The Italian Banking Association suffered a ransomware attack by the Vice Society gang, resulting in the theft of sensitive employee data including payslips, medical records, passwords, and internal promotion documents. The organization confirmed the breach, notified law enforcement, and implemented additional security measures while refusing ransom demands. Operational disruptions occurred, including temporary website downtime initially attributed to migration issues. As a key entity managing Italy's financial sector Computer Emergency Response Team alongside the central bank, the incident highlighted broader cybersecurity challenges amid increasing attacks on critical national infrastructure. The compromised systems contained non-public operational documents, though the association does not directly serve consumers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ransomware attack targeting the Associazione Bancaria Italiana (ABI) began in February 2022, with the Vice Society cybercrime gang claiming responsibility for breaching the banking association's systems. The attackers exfiltrated substantial volumes of sensitive employee data, including payslips, email addresses, telephone numbers, stored passwords, and medical condition lists of workers. Evidence suggests compromised systems also contained PDF files detailing internal promotion decisions and authorization protocols for Bancomat employees. ABI first acknowledged cybersecurity incidents during this period but did not immediately disclose full details. On April 7, 2023, researchers including Claudio Sono identified Vice Society's public claim of responsibility alongside samples of stolen data published online. This coincided with temporary website outages that ABI initially attributed to migration-related technical issues, though potential connections to the attack remained unconfirmed.
ABI confirmed the breach through an official statement, reporting the incident to Postal Police and relevant authorities while implementing protective measures for personnel data and infrastructure security. The association refused ransom payment demands despite criminal pressure to decrypt stolen information. As a critical entity managing Italy's Financial Computer Emergency Response Team (CERT) alongside Banca d'Italia, the compromise raised concerns about systemic financial sector risks. The incident exposed vulnerabilities in an organization directly involved with cybersecurity innovation through its ABI Lab division. Impacts extended beyond operational disruptions to reputational damage and potential secondary exploitation of leaked medical and employment records. This attack formed part of a broader escalation in ransomware operations against Italian critical infrastructure throughout early 2023, including contemporaneous incidents affecting Trenitalia's ticketing systems.