Cyber Incident Victim: Mooney Servizi SpA

On April 5, 2025, Mooney Servizi SpA, the third-party service provider responsible for managing Azienda Trasporti Milanesi's (ATM) mobile application, notified ATM of a cybersecurity incident detected that evening. The attack compromised a customer data archive hosted by infrastructure provider WIIT SpA, which contained information from multiple clients of Mooney Servizi/MyCicero, including ATM app users. Attackers copied personal data through unauthorized access to an external cloud storage system. The breach affected registered ATM app users' biographical information, contact details, and customer profile data. No financial information was compromised, with ATM confirming no unauthorized access occurred to credit cards, debit cards, digital payment systems, application login credentials, or residential addresses. Mooney Servizi immediately isolated its systems following detection to prevent further unauthorized access attempts.

ATM implemented multiple protective measures following notification. The company requested detailed, updated reporting from Mooney Servizi regarding all security measures deployed in response to the attack. Security protocols for third-party access to ATM systems were strengthened as a mitigation effort. Regulatory notifications were made to Italy's Data Protection Authority (Garante per la Protezione dei Dati Personali) and the National Cybersecurity Agency. The primary confirmed impact involved loss of data confidentiality, creating risks of unauthorized disclosure or misuse of personal information. The incident exclusively affected data processed by Mooney Servizi under its contractual data processing responsibilities for ATM, with no direct compromise of ATM's internal systems.