Cyber Incident Victim: Iren
Date:
Dec 2019
Location:
Italy
Summary
A cyberattack compromised the multiutility company Iren through an unupdated employee computer, deploying cryptolocker malware that encrypted systems and caused a prolonged operational shutdown. Critical services including customer archives, emergency response centers, email communications, access badges, call centers, and branch operations were disrupted for weeks, forcing some outsourced staff into involuntary leave. While the public portal was partially restored after a week, internal telephony and data access remained impaired. Unofficial damage estimates reached €25-30 million, though the firm denied financial impacts or data theft, attributing delays to isolation measures during system restoration. Internal reports had previously warned leadership about unaddressed system vulnerabilities enabling such intrusions. The company filed criminal complaints with Genoa's prosecutor and data privacy authorities following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 4, 2019, Iren, an Italian multi-utility company serving 2.5 million customers across Turin, Genoa, and Emilia-Romagna, suffered a complete IT system blackout following a successful cyberattack. Attackers infiltrated the network through an outdated, always-on employee computer, deploying a cryptolocker ransomware that encrypted data and blocked access to critical systems. The intrusion paralyzed operations for over two weeks, rendering customer archives inaccessible, disconnecting emergency response centers, and disabling email communications. Physical security systems malfunctioned, with employee badges failing to operate, while call centers and service counters could not process requests—including basic contract modifications. Externalized service providers like Barbagli Srl faced operational paralysis, forcing some employees into unpaid leave due to the inoperable intranet. Internal telephones in Turin’s headquarters also failed, and waste collection services under subsidiary Amiat relied on temporary geographic phone numbers after the primary systems went offline.
Iren’s technical team isolated compromised systems to contain the attack, severing external access points to prevent further spread. Partial service restoration began on December 16 when the company website resumed operations, though core functions remained impaired. Management acknowledged the severity of the breach, confirming data encryption but denying theft or irreversible damage. Unofficial estimates placed financial losses between €25-30 million, though Iren disputed this, stating such figures would only apply if billing systems had fully failed. The company filed a criminal complaint with Genoa’s prosecutor—where its primary data center was located—and reported the incident to Italy’s Privacy Guarantor. Internal sources revealed prior warnings about system vulnerabilities had been disregarded by leadership, a claim Iren publicly denied. Full operational recovery required fifteen days, during which executives considered but ultimately avoided mandatory employee furloughs due to potential reputational repercussions.