Cyber Incident Victim: Cantina Tollo

On January 30, 2023, Cantina Tollo experienced a ransomware attack targeting the data center hosting some of its primary IT systems. The LockBit 3.0 ransomware variant, operated by the LockBit cybercriminal group, compromised systems and exfiltrated sensitive data, including financial records and client agreements. LockBit initiated a countdown on February 7, 2023, announcing on their data leak site that stolen information would be published on February 15, 2023, at 19:29 UTC unless payment demands were met. The group demanded $249,000 for permanent data deletion and $1,000 for each 24-hour countdown extension, leveraging the threat of data exposure to pressure the organization. Attackers published samples of exfiltrated data to demonstrate the severity of the breach and validate their claims.

Cantina Tollo responded by issuing a public statement four days prior to LockBit’s countdown announcement, disclosing the incident to clients and stakeholders. The company isolated and deactivated affected systems to contain the attack, suspending certain services temporarily to prevent further data compromise. They initiated forensic analyses to assess the scope of the breach and implemented measures to address potential GDPR violations under Article 34 of Regulation (EU) 2016/679. Operations were disrupted during the containment phase, though the company emphasized efforts to minimize impacts on client data privacy. Cantina Tollo established a dedicated email contact ([email protected]) for stakeholder inquiries and committed to providing updates as investigations progressed. LockBit’s history of targeting Italian organizations and its ransomware-as-a-service (RaaS) model, which splits ransom payments between developers and affiliates, underscored the systemic threat posed by the attack. The incident highlighted operational vulnerabilities and the critical need for proactive crisis communication in maintaining client trust during cybersecurity events.