Cyber Incident Victim: Azienda Servizi Pubblici Olbia
Date:
Mar 2025
Location:
Italy
Summary
Azienda Servizi Pubblici Olbia disclosed that a breach affecting its users occurred after its service provider MyCicero was informed by its subcontractor Pluservice of unauthorized access to personal data stored in a third‑party data center. The compromised information includes names, contact details and location data, leading to possible loss of confidentiality, service availability and identity‑theft risk, while the affected systems were temporarily taken offline for investigation. No evidence of malicious use has been found, but the municipality has notified the data‑protection authority and requested assistance from the responsible parties to meet GDPR obligations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between 29 and 30 March 2025, unidentified external actors carried out malicious activity against the data center services provided by Pluservice s.r.l., which hosts the databases of MyCicero Srl for the Mycicero platform used by the Mooneygo and ASPO applications. On 1 April 2025, Pluservice s.r.l. detected the intrusion and, after a forensic analysis conducted that afternoon, confirmed that unauthorized exfiltration of personal data had occurred from the WIIT data center, a sub‑responsible of Pluservice, via an external remote cloud destination. MyCicero Srl was formally notified of the breach by Pluservice s.r.l. on 3 April 2025 at approximately 17:30, when it received a technical report detailing the reconstruction of the events and the initial objective evidence gathered.
The breach affected individuals classified as users, contractors, subscribers, or customers, both current and potential, of the Mycicero service. The personal data exposed included anagraphic information, contact details, and location data. As a result, the incident posed a potential loss of confidentiality, with the possibility that the data could be disclosed beyond the scope defined in the applicable privacy notice or regulatory framework, a potential loss of availability leading to service access difficulties or malfunctions, and an increased risk of identity theft or usurpation for the affected individuals.
Following the detection, the system was temporarily taken offline to allow security verifications and containment measures to be performed. ASPO, acting on behalf of the Comune di Olbia, subsequently notified the Italian Data Protection Authority (Garante per la protezione dei dati personali) of the breach and requested information from the data controller and sub‑processors pursuant to Articles 28(3)(f) and (g) of the GDPR to support compliance with Articles 32‑36, particularly regarding breach management and subsequent security measures. The Comune di Olbia also made contact channels available for further inquiries, designating the privacy email address [email protected] and the data protection officer email [email protected] for communications related to the incident.