Cyber Incident Victim: Kyma Mobilità
Date:
Mar 2025
Location:
Italy
Summary
Kyma Mobilitàwas informed by its service provider MyCicero of a personal data breach affecting some users of its mobility apps, after malicious activity by unidentified external actors compromised a subcontractor’s data center in Milan, leading to the unauthorized extraction of personal information such as names, surnames, gender, dates and places of birth, tax codes and contact details; no special‑category data were involved. The company subsequently notified the data‑protection authority, sought clarification from the data controller and its sub‑processors, and made contact details available for affected individuals seeking further information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On29 and 30 March 2025, unidentified external actors carried out malicious activity against the data center infrastructure used by Pluservice s.r.l., the provider hosting MyCicero’s services. On 1 April 2025, Pluservice s.r.l. detected the activity and conducted a forensic analysis that afternoon, confirming the unauthorized exfiltration of personal data from its databases. At approximately 17:30 on 3 April 2025, MyCicero s.r.l. received a formal technical report detailing the incident and was subsequently notified of the breach. Kyma Mobilità S.p.A. was then informed of the events through a formal communication from MyCicero.
The compromised systems consisted of servers hosted in the data center facility of Pluservice s.r.l. located at its headquarters in Milan. The affected services were the mobility applications “Kyma Mobilità” and “MooneyGo”, used by customers, subscribers and other users of the company’s transport offerings. The data that were exfiltrated included personal identifiers such as name, surname, sex, date and place of birth, tax code, as well as contact information comprising postal or email addresses, fixed or mobile telephone numbers and user identifiers. No special categories of data, such as financial, health, biometric or judicial information, were involved in the breach. The company stated that the breach resulted in a loss of confidentiality of the data and that, while there was no evidence of illicit use at the time, there remained a potential risk of unauthorized access or unwanted contacts.
In response to the incident, Kyma Mobilità S.p.A. notified the Italian Data Protection Authority (Garante per la protezione dei dati personali) of the breach. The company also requested clarifications from the data controller and the sub‑controllers involved in the processing, pursuant to article 28 of the EU General Data Protection Regulation. Kyma Mobilità provided institutional contact points for further inquiries, including the email address [email protected], the certified email [email protected] and the data protection officer, Avv. Ernesto Barbone, reachable at [email protected]. The communication was signed by the legal representative, Avv. Daniele D’Ambrosio, on 15 April 2025.