Cyber Incident Victim: Plus Service
Date:
Mar 2025
Location:
Italy
Summary
A cyber attack targeted the servers of Plus Service, disrupting the Telemaco platform that supplies electronic ticketing for numerous transport operators including Mom. The outage lasted two days, forcing commuters and students to rely on paper tickets and overwhelming call centers while the company worked to restore service. The platform serves about 150 transport companies, manages 1.5 million subscribers and 30,000 sales points, processing over a billion euros in transactions each year. Although WIIT provided the underlying cloud infrastructure, it stated that its systems were not compromised and that responsibility for the platform’s security rested with the provider. Normal operations gradually resumed after the attack was contained.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On Sunday 30March 2025 the electronic ticketing systems managed by Plus Service’s Telemaco platform suffered a cyber attack that disrupted service for the Mobilità di Marca (Mom) network. According to Mom president Giacomo Colladon the attack caught the provider by surprise and caused noticeable slowdowns on Plus Service’s servers beginning on the preceding day. The disruption persisted for two full days, during which the Mom call centres were overwhelmed as users attempted to access digital ticketing services and found them unavailable. As a result many commuters and students were forced to purchase physical tickets at stations or authorized resellers, leading to queues, additional costs and general inconvenience. The incident coincided with the peak period for renewal of school and work subscriptions, which amplified the volume of users trying to connect to the platform and complicated restoration efforts.
Plus Service provides the Telemaco platform to approximately 150 transport companies, overseeing 1.5 million subscribers, linking 30 000 points of sale and processing over one billion euros in annual transactions. The attack directly targeted the infrastructure hosting the MyCicero platform, a service operated by Plus Service subsidiary Pubbliservice srl, while the underlying cloud infrastructure supplied by WIIT remained unaffected. WIIT’s monitoring systems detected anomalous activity within the hosted environment, traced the origin to the Plus Service perimeter and advised the client to isolate and suspend the MyCicero service, a measure that was promptly enacted. The decision on how to restart the platform and restore normal operation was made autonomously by Plus Service, which formally indemnified WIIT from any related liability. Throughout the outage Mom maintained communication with users, advising them to contact the company for updates and confirming that technicians were working to return the system to full functionality. By the late afternoon of the day before the article the service had begun to function again, albeit intermittently, with the goal of achieving complete normal operation on the day of the report. No further details about the attackers, their methods or any data breach were disclosed in the available sources.