
Italy's data protection authority (Garante per la Protezione dei Dati Personali) has fined telecommunications provider Wind Tre €1.715 million (approximately $2 million) after finding serious security shortcomings that led to two data breaches affecting more than 365,000 customers.
The decision follows an investigation launched after Wind Tre disclosed the incidents in February 2025. According to the regulator, attackers posed as technical support staff and convinced employees at two retail stores to grant them access to the company's internal systems. The intrusions allowed the threat actors to steal customers' personal and contact information.
For 41,359 affected customers, the stolen data also included payment-related information, such as the payment method used, IBAN numbers, partially masked credit card numbers, and card expiration dates.
The Garante found that the breaches were enabled by weaknesses in the management of access credentials and digital certificates. It also concluded that the company's security assessments failed to identify vulnerabilities that more comprehensive testing would likely have detected. These deficiencies ultimately allowed attackers to compromise the systems and exfiltrate customer data.
Wind Tre is one of Italy's largest telecommunications providers, offering mobile, fixed-line, broadband, and enterprise services to millions of customers nationwide.
The regulator ruled that the company violated the GDPR's integrity, confidentiality, and security requirements. In addition to the financial penalty, Wind Tre has been ordered to strengthen protections for credentials and digital certificates, implement secure password management tools, and improve its cybersecurity procedures to reduce the risk of similar incidents.
When determining the fine, the authority said it considered the company's prompt breach notification, the corrective measures implemented after the attacks, and its cooperation throughout the investigation.
Garante's newsletter also announced several other privacy enforcement actions. The Garante fined a data controller €50,000 ($58,000) and a debt collection company €30,000 ($35,000) after finding failures in the handling of personal data during debt recovery activities, including inadequate oversight of a third-party processor and poor record management.
The Garante also highlighted new guidance adopted by the European Data Protection Board (EDPB) covering data anonymization, web scraping in the context of generative AI, and blockchain technologies. The anonymization and web scraping guidelines are open for public consultation until October 30, 2026, while the blockchain guidance has been finalized.






Leave a Reply