Cyber Incident Victim: Wind Telecomunicazioni S.p.A.

On March 20, 2017, Wind Tre, an Italian telecommunications provider, experienced a data breach impacting its customer base. The incident occurred when an external service provider responsible for managing Wind Tre’s Self Care 3 online platform was targeted by an attack. This breach exposed the data of 5,118 customers, with unauthorized access confirmed for 402 individuals. The compromised information included user IDs and login credentials, posing risks of account misuse and identity theft. The attack specifically exploited vulnerabilities in the third-party service provider’s systems, though technical details of the intrusion method were not publicly disclosed. Wind Tre did not initially detect or report the breach independently, as the incident came to light through subsequent investigations. The scale of the breach remained confined to the Self Care 3 platform, with no evidence suggesting wider network infiltration or compromise of financial data. Affected customers were not immediately notified, delaying their ability to take protective measures.

Italy’s data protection authority, Garante Privacy, intervened following the breach, directing Wind Tre to formally notify all impacted customers. This regulatory order compelled the company to disclose the incident’s scope, including the distinction between total affected customers and those whose data was actively accessed. Wind Tre complied with the directive, though the timeline and method of customer communication were not specified in available reports. The breach drew public attention through coverage by the tech news outlet Key4Biz, which cited Telecompaper as its source. No additional remediation steps, such as credit monitoring or password resets, were detailed in the available information. The incident underscored risks associated with third-party vendor dependencies in cybersecurity frameworks. Garante Privacy’s involvement highlighted regulatory expectations for prompt breach disclosure in the EU, even as technical remediation and attacker attribution remained unaddressed in public disclosures.