Cyber Incident Victim: Biennale di Venezia
Date:
Jul 2025
Location:
Italy
Summary
The Biennale di Venezia suffered a ransomware attack by the group INC Ransom that resulted in the exfiltration of over eight hundred gigabytes of data, with a portion already leaked on the dark web. The foundation detected the intrusion, isolated affected systems, notified authorities, and began recovery efforts assisted by the cybersecurity firm Yarix. While ticket and payment information remained untouched, the stolen data included identity scans of artists such as Tamara Fernando and internal files covering budgets, spreadsheets, and sponsorship agreements. The attackers published sample documents to prove the breach, and the incident follows a typical extortion pattern of threatening to release sensitive material unless a ransom is paid.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On Monday 7 July 2025 at approximately 08:00 a.m., the Biennale di Venezia detected an unauthorized intrusion into its information technology systems. The institution’s security team observed anomalous activity and promptly isolated the affected systems to prevent further spread. Following containment, the Biennale notified the relevant authorities and initiated restoration procedures to gradually reactivate services. The foundation disclosed that it was assisted in the analysis and response by Yarix, the cybersecurity competence centre of Var Group.
The attackers, identified as the ransomware group INC Ransom, claimed to have exfiltrated more than 800 GB of data from the Biennale’s networks. A portion of the stolen material was published on the group’s dark‑web blog to validate the breach, including photographs and scanned copies of identity documents and passports belonging to artists such as Tamara Fernando and other collaborators. In addition, the leaked files contained internal emails, budget spreadsheets, financial worksheets, and sponsorship agreements that disclosed the monetary terms agreed with sponsors. The Biennale emphasized that no ticket‑purchase data or payment‑system information appeared among the released documents.
In accordance with applicable regulations, the Biennale committed to informing all individuals whose personal data might have been accessed by the attackers. The organization stated that it would provide adequate notice to those potentially affected while continuing to work with Yarix on forensic analysis and system hardening. The foundation also confirmed that, despite the large volume of data taken, the publicly released samples represented only a fraction of the total exfiltrated information, suggesting that additional sensitive material remained in the attackers’ possession.