At least ten hotels in Italy have been hit by a cyberattack this summer. The identity data of thousands of hotel guests are on sale.
Italy is not only suffering from a heatwave, but the country is also facing a wave of cyberattacks on hotels. The Italian national cybersecurity agency AGID confirms that at least ten hotels have been affected and expects that it won’t stop there. This could also be bad news for those who have recently been on holiday or business trips to Italy.
The hacker, operating under the pseudonym mydocs, is targeting the identity data of guests who stayed at the hotels. On hacker forums, the hacker sells scans of identity documents such as passports. According to AGID, there are already tens of thousands of “high-quality” scans.
Identity Data for Sale
Sinds juni is de database met gestolen identiteitsgegevens met mondjesmaat uitgebreid. De aanvaller verkreeg de gegevens via ongeauthoriseerde toegang op de IT-systemen van de hotels. Na eerste meldingen door de getroffen hotels, liep het aantal meldingen en gepubliceerde gegevens snel op.
The latest “batch” dates back to just Tuesday evening. The database is said to already contain scans of approximately 100,000 individual documents. AGID confirms the authenticity of the data for sale. It is not clear how far back the database goes, but for one affected hotel in Rome, it could involve scans of guests who checked in years ago.
The Italian authority advises being extra vigilant in the coming period. A high-quality scan of your ID card is a potential goldmine for cybercriminals and fraudsters. AGID warns of, among other things, bank fraud, identity theft, and social engineering attacks, with potentially dramatic personal and financial consequences.
Safe at the Hotel
Even if you haven’t recently been to Italy, there is a lesson to be learned. Nowadays, almost every hotel asks for your ID card during check-in. This is allowed, provided there is written consent from the guest.
The legislation on whether a hotel can make a copy of your ID card or only transcribe the data varies from country to country. In the Netherlands, for example, making a copy or scan is not allowed.
Hotels (and other companies) sometimes forget, whether consciously or not, to delete your data once they no longer need it. Know that as a consumer, you have the right to demand that your data be immediately deleted after your stay. A simple email should be enough.