Italian Insurer’s Data Breach Uncovered Sensitive Staff Documents
Vittoria Assicurazioni’s open buckets exposed hundreds of thousands of files containing sensitive company, staff, and course attendee data.
Company name and location:
Vittoria Assicurazioni, based in Italy
Size (in GB and amount of records/files):
Around 280GB, 970,000+ files
Data Storage Format:
AWS S3 bucket
The Italian insurance company Vittoria Assicurazioni has suffered a cybersecurity incident, exposing staff members’ and training course attendees’ personal data along with sensitive company details, according to the Website Planet research team.
Two of the company’s Amazon buckets were misconfigured, left without any password protection or encryption controls in place. Vittoria Assicurazioni’s buckets contained almost identical datasets with each one exposing over 970,000 files, totaling around 280GB of data per bucket.
Vittoria’s buckets exposed thousands of JSON files, PDFs, and .csv files featuring details such as emails, certifications, and social security numbers.
Based on the number of emails and certifications, anywhere between 30,000 and 800,000 people are potentially affected. We can’t provide a more accurate estimation as we cannot know the exact volume of duplicate files on the buckets.
Exposed emails disclosed staff members’ internal communications with each other and external communications with outside parties. These files showed the email addresses of senders and recipients, before detailing email subject lines and contents.
Some emails even revealed sensitive company data like usernames and passwords — information that could provide access to Vittoria’s company accounts.
Website Planet researchers discovered Vittoria Assicurazioni’s buckets, left in open form, as part of our extensive web mapping project. We use web scanners to identify unsecured data stores on the internet. We responsibly analyze, help to secure, and report these data incidents to raise awareness about the dangers of cybercrime and help affected companies and users.
Status of the Data Exposure
We discovered Vittoria Assicurazioni’s data incident on
April 28th, 2022: We contacted Vittoria Assicurazioni.
May 2nd, 2022-May 5th, 2022: We sent follow-up messages to Vittoria contacts.
May 9th, 2022: We emailed new Vittoria contacts and the Italian CERT, who replied the same day, we then proceeded to responsibly disclose the breach to the Italian CERT. The Italian CERT contacted Vittoria’s CISO and one of the buckets was secured.
May 11th, 2022: We contacted the Italian CERT again as one of the buckets was still open. They replied the same day and told us that they would contact Vittoria’s CISO once more.
May 13th, 2022: Vittoria’s second bucket was secured.
Customer & Company Data Exposed
Data belonging to Vittoria Assicurazioni, its employees, training course attendees, and various other unknown parties was exposed across several different file types, including emails, analytics, attachments, avatars, certificates, class details, and export CSV files that contained people’s social security numbers.
Emails (over 150,000 files) and certifications (more than 750,000 files) were the two most-prominent datasets. Since both of Vittoria’s buckets’ files are almost identical, file and data counts are taken from the second bucket and do not count duplicate files on the first.
Exposed data included:
Staff PII & sensitive data: Full names, email addresses, subject lines, email contents, email attachments, and certificates awarded by Vittoria.
Course attendees’ PII & sensitive data*: Full names, class details, job roles, training course attainment, and certificates awarded by Vittoria.
Unknown people’s PII & sensitive data**: Images of people (potentially customers or employees), full names, email addresses, email subject lines, email contents, email attachments, social security numbers, and various non-sensitive details.
Sensitive company data: Employees’ email contents (some contain company login credentials), employees’ email subject lines, employees’ email attachments (including training schedules), class details.
*Course attendees appeared to be Vittoria staff members who were attending training courses, though, we don’t know if everyone who attended a course was employed by Vittoria.**We don’t know whether some data belongs to employees, customers, or other third parties (such as contractors). We didn’t identify each one of these individuals for ethical reasons, although we did check a sample of data to make sure it was related to real people.
Files dated from April 2017 to the date we discovered Vittoria’s buckets, April 27th, 2022. The buckets were live and were being regularly updated at the time of discovery.
Amazon is not responsible for the misconfiguration of Vittoria’s buckets.
The majority of files we analyzed seemingly related to training courses, including numerous emails, attachments, certificates, class details, and analytics files. These documents discussed people’s enrollment in training courses, course attainment scores, the scheduling of classes, class attendance registers, and various other program details.
Various email contents, such as those disclosing employee account usernames and passwords, exposed staff data and Vittoria’s sensitive company data. Class details, which included information about training classes and attendees, also exposed sensitive company data.
We could not discern whether some data related to employees, customers, course attendees, or other third parties, such as contractors. This included various email contents, images of people, and social security numbers.
Impact on Vittoria, its Employees, & Others
We do not and cannot know whether malicious actors accessed Vittoria Assicurazioni’s open bucket. However, Vittoria, along with any exposed individuals, could face several security risks if bad actors have obtained the bucket’s data.
Identity theft & impersonation. Italian social security numbers (or “fiscal codes”) can be decrypted to identify individuals, revealing names, birthdates, genders, and more. Hackers could use SSNs, certificates, and other personal details to impersonate and defraud victims, applying for credit and opening new accounts in their name.
Phishing, fraud & scams. Hackers could use Vittoria email addresses, email contents, and course documents to send authentic-looking Vittoria emails to other exposed email addresses on the buckets. They could trick users into disclosing personal data, downloading malware, or handing over money.
Corporate Espionage. A rival business could contact Vittoria email addresses and use course details, PII, and leaked emails to pose as another employee or course attendee.
Account takeover. Leaked usernames and passwords in emails could allow hackers to takeover company accounts and obtain, destroy, or modify information.
Vittoria Assicurazioni could also come under the investigation of Italy’s Data Protection Authority. According to the EU’s General Data Protection Regulation (GDPR), any company that mishandles personal data could face a maximum fine of up to €20 million (~US$21.1 million) or 4% of the company’s annual turnover (whichever is greater).
Protecting Your Data
Anyone who’s received emails from a Vittoria email address, including Vittoria employees and training course attendees, should be cautious when receiving messages that ask them to click a link, provide sensitive data, or hand over money. Victims of fraud should contact their bank and local law enforcement agency.
Vittoria could implement systems that authenticate staff members to one another and may change login credentials for exposed company accounts.
About Vittoria Assicurazioni
Founded in 1921, Vittoria Assicurazioni is a Milan-based insurance company that offers citizens, professionals, and companies a range of policies, including home, car, pet, accident, health, life, theft, and civil liability insurance.
The company employs over 600 people and turns over around $1 billion annually, as per ZoomInfo.
How and Why We Report on Data Breaches
We want to help our readers stay safe when using any website or online product.
Unfortunately, most data breaches are never discovered or reported by the companies responsible. So, we decided to do the work and find the vulnerabilities putting people at risk.
We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.
By reporting these leaks, we hope to make the internet safer for everyone.
Website Planet is the number one resource for web designers, digital marketers, developers, and businesses with an online presence.
Our team of ethical security research experts uncovers and discloses serious data leaks as part of a free community service we perform for the web at large.