Cyber Incident Victim: RP Consulting SpA
Date:
Sep 2022
Location:
Italy
Summary
A cybercriminal group advertised the sale of stolen data from Italian insurance management firm RP Consulting SpA on underground platforms Breach Forums and a profit-driven cyber gang's Telegram channel. The compromised dataset, totaling 7.3 GB across over 13,000 files, included documents, spreadsheets, and PDFs. The breach announcement followed established patterns of data trading on Breach Forums, an illicit community that gained prominence after the shutdown of Raid Forums and attracted former participants of that platform. The incident exposed sensitive organizational information, though specific data types beyond file formats weren't detailed in the initial disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 23, 2022, a threat actor advertised the sale of stolen data from Italian insurance management firm RP Consulting SpA on Breach Forums, a prominent cybercrime platform. The post included samples of the compromised data and contact instructions for potential buyers, indicating an active underground negotiation process. The dataset comprised 7.3 GB of data across more than 13,000 files, primarily consisting of documents (DOCS), spreadsheets (XLS), and PDF files. The cybercriminal group further promoted this data sale through their Telegram channel, expanding its visibility within criminal networks. RP Consulting SpA—formed through the merger of Company Brokers, Consulenti Assicurativi, and RP Italia—specialized in integrated insurance management services, though the advertisement did not specify whether client data or internal corporate documents were exfiltrated. No ransomware claims or explicit extortion demands accompanied the advertisement, framing the incident purely as a data brokerage operation. The threat actor provided no details regarding intrusion methods, timeline of compromise, or specific data categories beyond file formats. Cybersecurity monitoring service RedHotCyber identified the advertisement shortly after publication but reported no subsequent statements from RP Consulting SpA regarding incident validation, impact assessment, or containment measures at the time of reporting.
Breach Forums emerged in March 2022 as a replacement for the seized Raid Forums platform, founded by threat actor "pompompurin" who explicitly denied affiliation with the prior operation. The forum rapidly attracted over 1,500 members, including former Raid Forums participants who maintained consistent usernames and avatars, lending credibility to its illicit marketplace. This incident marked one of numerous high-profile data sales facilitated through the platform, which specialized in distributing stolen information through structured vendor interactions. The RP Consulting SpA breach advertisement followed standard underground protocols by including proof-of-concept samples and direct negotiation channels, though the responsible actor or group remained unnamed. No law enforcement actions or disruptions to the data sale were reported in the immediate aftermath, leaving the ultimate disposition of the stolen data unclear based on available evidence.