Cyber Incident Victim: Air Campania
Date:
Mar 2025
Location:
Italy
Summary
Air Campania reportedthat its transportation service app, managed by MyCicero as a data processor, experienced a personal data breach after Pluservice, which hosts the data center through sub‑processor WIIT, detected unauthorized external activity that led to the exfiltration of users’ anagraphic, contact and location information. Upon confirmation of the compromise, the affected system was temporarily taken offline to allow forensic analysis and security measures. The company was subsequently notified, informed the Italian data‑protection authority, and requested detailed information from the processor and sub‑processor to fulfill its GDPR obligations regarding breach handling and security safeguards.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On 29 and 30 March 2025 unidentified external actors carried out malicious activity against the data center services provided by Pluservice s.r.l. for the MyCicero srl application used by Air Campania SPA. The breach was detected by Pluservice s.r.l. on 1 April 2025 and confirmed later that afternoon after a forensic analysis showed unauthorized exfiltration of data from databases hosted at the WIIT data center, a sub‑processor of Pluservice s.r.l., via an external remote cloud destination. MyCicero srl received the official technical report from Pluservice s.r.l. on 3 April 2025 at approximately 17:30, which contained the reconstruction of events and the first objective evidence. Air Campania SPA, as the data controller, was formally notified of the breach on Friday 4 April 2025.
The compromised data include personal anagraphic information, contact details and location data belonging to users, contractors, subscribers and current or potential customers of Air Campania SPA. The breach raises the possibility of loss of confidentiality, meaning the data could be disclosed outside the scope of the provided information or applicable regulations, as well as loss of availability, which may prevent access to services, cause malfunctions or create difficulties in using the services. In addition, the exposed information could enable identity theft or usurpation against the affected individuals. As a precaution, the system was made inaccessible for a limited period immediately after detection to allow verification and security measures.
All involved companies immediately began analysing the incident and implementing every possible measure to mitigate negative consequences for users. The Air Campania Data Breach Team Management, convened ad horas, decided to notify the Italian Guarantor Authority for the protection of personal data and to request information from the processor and sub‑processor under articles 28(3)(f) and (g) of the GDPR to support compliance with articles 32 to 36, particularly regarding breach management and subsequent security measures. Air Campania provided institutional contact points for further information, including the email addresses [email protected], [email protected] and the PEC address [email protected], and indicated that users could also contact the appointed data protection officer, Avv. Salvatore Coppola, at [email protected]. The company reiterated its commitment to protect personal data and to act in the interest and for the safeguarding of users’ rights.