In two releases, one dated 29 and one dated 30 December 2024, the company InfoCert, provider of the SPID digital identity service, confirmed that it had been the victim of a hacker attack in which the personal data of 5.5 million people had been breached. Specifically, a database used to manage customer service requests to the company was hacked. The stolen data included names, surnames, e-mail addresses, tax codes and telephone numbers. The offence was committed on 27 December and claimed on the deep web on the BreachForums platform the following day with an announcement to sell the stolen data for the initially negotiable sum of USD 1,500.
InfoCert is in charge of creating digital identities for Italians, and currently manages around 1.8 million active SPIDs, with 2 million people authenticating via the InfoCert App and 64 million accesses made to web portals with digital identity services.
To prove the authenticity of the possession of such data, the platform operator included a sample of its spoils in the post, focusing on the explanation of the company InfoCert SpA, the context in which it operates, and the size of the target audience affected. In fact, he emphasises the final size of the exfiltration, framing it as 5.5 million pieces of exposed data. This includes 1.1 million telephone numbers and 2.5 million e-mail addresses. The data exposed in the sample is in CSV format and contains 24 rows of data in its possession. The data released seems to be associated with a Ticketing System, i.e. the backend of those systems that are used to manage customer service requests to a company. Among the many fields that the database export includes, there are names, surnames, e-mail addresses, tax codes, telephone numbers, but also the reason for the support request, its resolution and any details between the InfoCert operator and the customer.

What is BreachForums?

BreachForums is a well-known platform on the deep web, used by cyber criminals for buying and selling stolen data, hacking tools and other illicit activities. This community is organised so that users can post advertisements for their cyber loot, often accompanied by samples of the data to prove its authenticity. It is one of the most active black markets for the exchange of compromised information, accessible only through specific browsers such as Tor.

InfoCert’s official releases

In response to the incident, InfoCert published an official statement in which it stated that: “On 27 December … the unauthorised publication of personal data relating to censored customers in the systems of a third party provider was detected and that this publication was the result of an illegal activity to the detriment of that provider, which did not, however, compromise the integrity of InfoCert’s systems“. The note goes on to reassure that ‘no InfoCert service access credentials and/or passwords were compromised in this attack’.

In the second statement, the company confirmed “that the integrity and security of InfoCert’s services, in particular SPID, PEC and Digital Signature, remain fully guaranteed, we reiterate that the illicit data theft affected the systems of an external provider, which manages a customer care platform used by our Customer Care. The data involved are, to date, limited to information related to the handling of customer care requests made via the ticketing system.”

In consultation with the said supplier, the company then announced that it had taken the necessary steps to verify and contain the event, prepared a series of in-depth technical analyses to examine the incident, and had initiated the notification to the Privacy Guarantor as required by the European Data Protection Regulation GDPR.

Passing the buck is not enough: the InfoCert case and its open questions

While it is true that the statement seems aimed at containing reputational damage, it is difficult to accept such statements lightly from a company whose core business is digital security. The mere fact that such a serious breach has occurred is a wake-up call: those in charge of security cannot afford breaches of this kind, especially considering the importance and sensitivity of the data handled, nor can they solve it with a shrug of the shoulders by shifting the blame onto their own supplier, since the latter is included in the security perimeter that the company itself should have been watching over.
The claim that the integrity of InfoCert’s systems was not compromised may sound reassuring, but it raises more questions than it answers. If the stolen data was exfiltrated by a third-party provider, what security measures were in place to protect the entire ecosystem? What guarantees can we have that such attacks will not be repeated, perhaps with even more serious consequences?

More importantly, in neither of the two InfoCert releases is there any mention of the phishing risk to which the users involved in the breach are exposed. This is a significant omission, considering that the stolen data (emails, phone numbers) are information commonly exploited for targeted phishing campaigns, in which attackers would have an easy time impersonating company operators who contact customers after the data breach.

A problem of trust

Trust is the fundamental pillar on which the services offered by companies like InfoCert are based. Digital identity management requires exceptionally high security standards, which cannot be compromised. This episode, however, deeply undermines the credibility of the entire supply chain.
As the InfoCert case unfolds, one bitter realisation remains: the digital security landscape in Italy is still too vulnerable. Cyber attacks are becoming increasingly sophisticated, and many companies are not adequately prepared to deal with them. It is not just a matter of protecting sensitive data, but of safeguarding citizens’ trust in the digital services on which our daily lives are increasingly based, SPID above all.