Cyber Incident Victim: Ferrovie dello Stato Italiane

On March 23, 2022, Ferrovie dello Stato Italiane (FS), Italy's state-controlled railway operator, announced it had temporarily suspended ticket sales at physical offices and self-service machines in train stations due to suspected cyber activity. The company detected anomalies on the computer networks of its passenger service subsidiary Trenitalia and infrastructure manager RFI that morning, with initial analysis suggesting possible indicators of a cryptolocker infection—a type of ransomware that encrypts data and demands payment for decryption. FS initiated immediate network diagnostics to assess the scope and origin of the incident but did not confirm whether data encryption or ransom demands had occurred. As a precautionary containment measure, the company halted all point-of-sale transactions at station counters and automated kiosks while maintaining normal online ticket sales through digital channels. Rail operations across the national network, including high-speed services spanning over 16,700 kilometers, continued uninterrupted with no reported delays or safety impacts.

The disruption exclusively affected ground-based ticketing systems, causing localized inconvenience to passengers purchasing fares through physical channels. FS emphasized the preventive nature of the sales suspension, stating no operational technology controlling trains or signaling infrastructure was compromised. Italian news agency Ansa cited unidentified security sources speculating about potential Russian hacker involvement based on the attack's characteristics, though neither FS nor the Italian Interior Ministry verified this attribution when contacted by Reuters. The company provided no additional details regarding infection vectors, data exfiltration, or remediation timelines beyond confirming ongoing network analysis. No ransomware group claimed responsibility for the incident publicly during the initial disclosure period.