Tens of thousands of Italian hotel guests may be hit by cyber heist

The Italian government warned on Wednesday that identity documents belonging to tens of thousands of people who had stayed at hotels in the country allegedly have been stolen and are being illegally sold online.

According to the computer emergency response team at the Agency for Digital Italy (CERT-AGID), at the last count a cybercriminal going by the handle “mydocs” had offered more than 90,000 documents for sale.

The documents, allegedly obtained from 10 different Italian hotels, are high-resolution scans of identity-confirming materials used during check-ins, including passports and other forms of official ID cards. The “mydocs” account has attempted to sell these in several tranches starting last week on what CERT-AGID called “a well-known underground forum.”

“It is not ruled out that further cases could emerge in the coming days. This data, once stolen, can be used for fraudulent purposes: from creating false documents to opening bank accounts, to social engineering attacks and digital identity theft, with potentially serious consequences for the victims, both financially and legally,” warned AGID.

Those who have visited any hotels in Italy are being urged to monitor for signs their data is being misused, for instance through credit requests or unauthorised attempts to open financial accounts under their names. 

While the breaches appear to have taken place in June and July of this year, it is not clear how many years back the hotels’ scans are retained for and thus how many customers in total have been affected. The agency did not name the 10 hotels.

CERT-AGID warned that a similar incident had taken place earlier this year when the team tackled a smishing campaign attempting to “steal copies of identity documents, with particular interest in selfies where the document is displayed next to the victim's face.”

It said “the increase in illicit sales of identity documents confirms the urgency of strengthening awareness and protective measures, both among the organizations that manage them and among citizens.”

Given what was described as “the growing frequency of these illicit activities,” CERT-AGID stated it was “increasingly clear how essential it is for organizations that collect and manage identity documents to adopt rigorous measures to protect and secure information, ensuring not only proper data processing but also the protection of their digital systems and portals from unauthorized access.”