Cyber Incident Victim: Regional Environmental Protection Agency in Abruzzo

On November 5, 2019, Italian hacktivist groups Anonymous Italia and LulzSecITA conducted coordinated cyberattacks against multiple Italian organizations as part of the annual Million Mask March protest. The attacks coincided with Guy Fawkes Day, an event historically associated with Anonymous operations globally. Targets included professional legal orders in Arezzo, Grosseto, and Perugia; the Prefecture of Naples; telephone operator Lyca Mobile; and environmental agencies including the Regional Environmental Protection Agency in Abruzzo and Puglia. LulzSecITA specifically compromised Lyca Mobile’s Italian operations, exfiltrating 5.4 gigabytes of sensitive data including customer identification documents (passports, driver’s licenses), telephone records, and credit card information. The attackers publicly leaked these materials to demonstrate security vulnerabilities.

The hacktivists claimed access to an email account (lycamobile[at]lycamobile[.]it) belonging to a Lyca Mobile official, suggesting potential full account control. Their stated objective emphasized exposing institutional failures in data protection rather than financial fraud, with Anonymous Italia releasing a manifesto criticizing organizations for inadequate privacy safeguards. No specific details were confirmed regarding the nature of compromised data from the Regional Environmental Protection Agency in Abruzzo beyond its inclusion in the target list. Similarly, the authenticity of all leaked documents remained unverified at the time of reporting. The incident highlighted operational security deficiencies across multiple public and private entities, with Lyca Mobile’s breach particularly illustrating risks to customer privacy through exposed personal and financial records. No organizational containment measures or technical responses were detailed in available reports.