Pierluigi Paganini November 21, 2025

Ferrovie dello Stato Italiane (FS) data leaked after a breach at IT provider Almaviva. A hacker claims the theft of 2.3 TB of sensitive data.

Data belonging to Italy’s national railway operator Ferrovie dello Stato Italiane (FS) was leaked after a data breach at IT provider Almaviva. FS Italiane Group is Italy’s state-owned railway company, managing passenger and freight transport, infrastructure, and logistics. It operates nationally and internationally, offering high-speed, regional, and freight services. The group includes Trenitalia, Rete Ferroviaria Italiana (RFI), and other subsidiaries, serving millions of customers annually.

AlmavivA is an Italian leading IT and digital services provider. Its offers include CRM, outsourcing, and cloud solutions. It has 41,000 employees (7,000 in Italy, 34,000 abroad) and reported €1.411 billion in revenue in 2024.

A threat actor claimed the theft of 2.3 TB of sensitive data, including:

• FSE Investment and Industrial Plans for 2017-2035
• Internal and confidential documents
• Sensitive company information
• Informazione ad uso interno, documents marked USO INTERNO, CONFIDENZIALE o ESCLUSIVO (Information for internal use, documents marked INTERNAL USE, CONFIDENTIAL or EXCLUSIVE)
• Privileged and Confidential Communications and Information
• Contracts and agreements
• NDA
• Contratto e informazione Vitrociset (Project Venus, Leonardo, SIPAD)
• Contracts and agreements with MINISTERO DIFESA, AERONAUTICA MILITARE
• Signed projects documentation
• Codes
• Trade secrets
• Forensic reports
• Legal and court papers
• Finance, bank documents
• Passengers’ personal data with passport numbers (dati di passeggeri)
• Data on employees of MERCITALIA INTERMODAL S.p.A., GrandiStazioni Retail, Delta State Italia, FENCEDIT SERVIZI FINANZIARI S.p.A., Fondazione FS Italiane, Rete Ferroviaria Italiana, Trenitalia, Ferrovie Dello Stato Italiane, FS International, Trenitalia Linea, FS Security, FS Sistemi Urbani, FS Technology, GrandiStazioni Rail, Italferr, Italcertifer, Trenitalia, Ferrovie Dello Stato Italiane, Trenitalia Tper, Terminali Italia, Treni Turistici Italiani (Full names, email addresses, phone numbers, job titles, salaries, and CID of employees)
• Mercitalia clients
• Priority Lists of Defense-Related Supplies
• Almaviva contracts with clients and suppliers
• Contracts, Accords, and agreements with Almaviva’s executive contracts with: General Guardia di Finanza, Ministry of Defense, General Command of the Carabinieri, health authorities, MINISTRY OF FOREIGN AFFAIRS AND INTERNATIONAL COOPERATION (and other governmental agencies & private companies)
• Progress reports, technical documents for Almaviva projects
• Tender related documents of various companies
• Struttura Interna della Direzione Generale (GENERALI ITALIA S.p.A.)
• RIF Financial docs

Leaked files show that much of the data is recent, including fiscal, administrative, and operational documents up to Q3 2025, a circumstance that suggests the data results from a fresh compromise rather than the reuse of material stolen in a previous data breach that Almaviva suffered in 2022.

Almaviva announced it had detected and contained a cyberattack on its corporate systems, resulting in the theft of some data. The company activated specialized security procedures to protect critical services, which remained fully operational. Authorities, partners, and relevant stakeholders were promptly informed, and Almaviva continues close coordination for monitoring, investigation, and response, prioritizing data protection and ongoing updates while respecting investigation confidentiality.

“Almaviva announces that in recent weeks, its security monitoring services identified and subsequently isolated a cyberattack affecting our corporate systems, resulting in the theft of certain data.

Almaviva immediately activated security and response procedures through its specialized team for this type of incident, ensuring the protection and full operation of critical services.” reads the notice published by the company.

“At the same time, the relevant authorities—the Public Prosecutor’s Office, the Postal Police, the National Agency for Cybersecurity, and the Italian Data Protection Authority—were informed, and close collaboration is underway with them, partners, and other relevant entities to ensure maximum coordination in monitoring, investigation, and response activities.”

Almaviva also offers cyber security services claiming “a whole new level of knowledge and understanding of cyber threats.” The company also operates in the Defense and Security sector alongside the Armed Forces and Law Enforcement, offering solutions to enable decision-making processes in key areas.

Here’s a concise summary of your text:

The Almaviva and Ferrovie dello Stato data leak is extremely dangerous, affecting companies, employees, and ordinary citizens. The 2.3 TB of stolen files include payrolls, contracts, bank account details, and web configurations, which could be exploited to cause significant harm at multiple levels.

“Anyone who gets hold of that information could really cause a lot of damage, at every level, without the victims – especially citizens – being able to easily counteract it. Let’s try to understand why.:” wrote the Data Protection advocate Christian Bernieri.

At this time, the scope of the security breach is unclear, and it is unknown whether other major Italian organizations may have been impacted. Almaviva has not shared technical details about the attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Almaviva)