Industry - Data Breach
Executive Summary
Italy's data protection authority fined telecoms operator WINDTRE €1.7 million after hackers posing as support technicians breached corporate systems through retail employees, exposing personal information of over 365,000 customers. The compromised data included contact details and sensitive payment information such as partially obscured credit card numbers and bank account details for 41,359 customers. The regulator found WINDTRE failed to adequately manage access credentials and conduct tho...
What Happened
In February 2025, hackers posed as support technicians and convinced employees at two WINDTRE retail locations to grant them access to corporate systems, compromising personal data of over 365,000 customers. The exposed information included contact details for all affected customers and sensitive payment data - including partially obscured credit card numbers, bank account details, and expiration dates - for 41,359 individuals. Italy's data protection authority investigated and issued a €1.7 million fine in July 2026, citing inadequate credential management and insufficient security assessments that failed to detect exploitable vulnerabilities.
Who Is Affected
More than 365,000 WINDTRE customers in Italy had their personal and contact information exposed, with 41,359 of those customers having their payment information compromised, including bank account details and partial credit card data. The breach occurred through social engineering targeting retail employees, making customers of the CK Hutchison-owned telecommunications operator the primary victims of inadequate corporate security measures.
Why It Matters
This incident demonstrates how human vulnerability at retail points can bypass technical security measures, exposing hundreds of thousands of customers to potential financial fraud and identity theft. The regulatory finding that basic security assessments would have detected these vulnerabilities highlights systemic failures in a major telecommunications provider's data protection practices. The €1.7 million penalty and mandated security improvements set enforcement expectations for telecommunications operators managing sensitive customer payment data across retail networks.
What You Should Do
If you are a WINDTRE customer, monitor your bank and credit card statements closely for unauthorized transactions and consider placing fraud alerts with your financial institutions. Contact WINDTRE directly to confirm whether your account was affected and what specific data was compromised. Change any passwords associated with your WINDTRE account and enable multi-factor authentication if available, and remain vigilant against phishing attempts that may reference this breach to appear legitimate.
Summary generated from verified sources and reviewed before publication. How we summarize.