Cyber Incident Victim: Generali España

Generali España, an insurance company, confirmed a security incident that potentially impacted former customers around November 2022. The breach involved unauthorized access to personal data, including names, surnames, addresses, landline and mobile phone numbers, email addresses, national ID numbers, dates and countries of birth, marital statuses, and IBAN codes associated with insured individuals' current accounts. The company explicitly stated that credit card information and passwords were not compromised in the incident. Generali España reported the breach to both the Spanish Data Protection Agency (AEPD) and Spain’s National Police, fulfilling regulatory obligations. No details were provided regarding the attack vector, duration of unauthorized access, or specific detection methods leading to the incident’s discovery.

The insurer did not disclose the number of affected individuals despite inquiries from media outlets, leaving the breach’s full scope undefined. Exposed data elements carried significant privacy risks, including potential identity theft and financial fraud due to the inclusion of national IDs and bank account identifiers. Generali España issued a public statement acknowledging the incident but did not describe remediation efforts for impacted individuals beyond regulatory notifications. The company’s lack of response regarding victim count and absence of disclosed mitigation measures for former customers limited transparency about the breach’s consequences. No ransomware groups or threat actors claimed responsibility for the incident in available reports, and the company’s operational systems status during the attack remained unspecified.