Cyber Incident Victim: Municipality of Porto SantElpidio
Date:
May 2021
Location:
Italy
Summary
A ransomware attack targeted an Italian municipality, resulting in threat actors leaking approximately 900 MB of files from an estimated 8 GB of stolen data. The partial dump included administrative documents and sensitive resident information, such as personal details from a vehicle accident report. Despite the breach, the municipality did not publicly acknowledge the incident or respond to inquiries regarding GDPR compliance, including potential notifications to authorities. The attackers claimed to have waited 21 days before releasing data, raising questions about the timeliness of any regulatory response. The incident’s full impact remains unclear, but exposed files contained identifiable personal information affecting residents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late May 2021, the Municipality of Porto Sant’Elpidio in Italy became a confirmed victim of a ransomware attack attributed to a threat actor group operating under unclear aliases—variously referenced as PayOrGrief or Grief_List. The attackers listed the municipality on their dedicated leak site alongside other victims, including Washington’s Clover Park School District, indicating non-payment of ransom demands. Approximately 8 GB of data was exfiltrated during the attack, with threat actors publicly releasing an initial dump of roughly 900 MB comprising around 1,000 files. Analysis by Marco A. De Felice of Suspect File and DataBreaches.net confirmed the dumped material contained administrative documents alongside files exposing residents’ sensitive personal information. One identified file detailed a vehicle accident report specifying the car owner, driver, and injury status, demonstrating the presence of identifiable personal data. The attackers reportedly waited 21 days before publishing the partial data dump, suggesting the breach occurred weeks prior to late May. No technical details regarding intrusion vectors, affected systems, or containment measures were disclosed in available reports.
The municipality maintained complete public silence regarding the incident, with no official statements, website notices, or press releases identified as of May 29, 2021. Suspect File attempted to contact Mayor Massimiliano Ciarpella, the City Council President, relevant councilors, and local police command via email to inquire about GDPR compliance and breach notifications but received no response. Under GDPR Article 33, the municipality was obligated to notify Italy’s Data Protection Authority (Garante) within 72 hours of becoming aware of the personal data breach. The 21-day interval between attack execution and data leakage raised questions about whether authorities were informed promptly. The confirmed exposure of residents’ sensitive information created legal and operational risks for the administration, though the full scope of compromised data and downstream impacts remained unverified due to limited forensic disclosure.