Cyber Incident Victim: Dussmann Service S.r.l.
Date:
Jul 2022
Location:
Italy
Summary
A cyberattack targeted a German multinational providing school meal services in Padova, potentially compromising personal data of approximately 7,000 children and their families. The breach exposed sensitive information including banking details used for meal payments and pupil records, raising concerns about identity theft, fraud, and phishing risks. Municipal authorities notified affected parties and reported the incident to the national privacy regulator while investigations continued. The company activated a task force, suspended its servers and workstations at its Bergamo operations center, and temporarily transitioned to laptop-based operations. Although unconfirmed, the attack displayed characteristics consistent with ransomware and appeared to be part of a broader coordinated campaign against the organization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around July 1, 2022, Dussmann Service S.r.l., a German multinational managing school meal services for Padova's municipal education system, experienced a cybersecurity breach compromising its IT infrastructure. The attack potentially exposed personal data of approximately 7,000 children enrolled across municipal kindergartens, elementary schools, and middle schools, along with their families' information. While the exact attack vector remained unspecified during initial investigations, preliminary evidence suggested ransomware involvement. The breach reportedly enabled unauthorized external actors to access sensitive records, including student personal data and family banking information used for meal payment processing. Padova's municipal government issued formal notifications to affected families, acknowledging the hypothetical exposure of personal information while clarifying that Dussmann had not yet provided conclusive evidence confirming specific data compromises.
Dussmann initiated containment measures by establishing an emergency task force at its Capriate San Gervasio (Bergamo) operational base, where technicians shut down compromised servers and workstations, replacing the latter with portable laptops to maintain service continuity. The company acknowledged potential risks including loss of data confidentiality, identity theft, and financial fraud, advising vigilance against phishing attempts and fraudulent communications. Padova's Education Councilor Cristina Piva confirmed mandatory notification to Italy's Data Protection Authority (Garante della Privacy) while investigations continued to determine the attack's severity and full scope. Municipal authorities emphasized the incident's potential connection to a broader, coordinated campaign against Dussmann's operations, noting similar prior attacks against other Veneto region entities including ULSS 6 Euganea healthcare provider and Villafranca municipality. Ongoing forensic analysis focused on determining whether attackers exfiltrated specific data categories, particularly banking credentials and children's personal information, with no ransomware payment demands or operational disruptions to school meal services reported during the initial response phase.