Inside this Article
Italian Insurer’s Data Breach Uncovered Sensitive Staff DocumentsVittoria Assicurazioni’s open buckets exposed hundreds of thousands of files containing sensitive company, staff, and course attendee data.
The Italian insurance company Vittoria Assicurazioni has suffered a cybersecurity incident, exposing staff members’ and training course attendees’ personal data along with sensitive company details, according to the Website Planet research team. Two of the company’s Amazon buckets were misconfigured, left without any password protection or encryption controls in place. Vittoria Assicurazioni’s buckets contained almost identical datasets with each one exposing over 970,000 files, totaling around 280GB of data per bucket. Vittoria’s buckets exposed thousands of JSON files, PDFs, and .csv files featuring details such as emails, certifications, and social security numbers. Based on the number of emails and certifications, anywhere between 30,000 and 800,000 people are potentially affected. We can’t provide a more accurate estimation as we cannot know the exact volume of duplicate files on the buckets. Exposed emails disclosed staff members’ internal communications with each other and external communications with outside parties. These files showed the email addresses of senders and recipients, before detailing email subject lines and contents. Some emails even revealed sensitive company data like usernames and passwords — information that could provide access to Vittoria’s company accounts. Website Planet researchers discovered Vittoria Assicurazioni’s buckets, left in open form, as part of our extensive web mapping project. We use web scanners to identify unsecured data stores on the internet. We responsibly analyze, help to secure, and report these data incidents to raise awareness about the dangers of cybercrime and help affected companies and users.
|Company name and location:||Vittoria Assicurazioni, based in Italy|
|Size (in GB and amount of records/files):||Around 280GB, 970,000+ files|
|Data Storage Format:||AWS S3 bucket|
Status of the Data ExposureWe discovered Vittoria Assicurazioni’s data incident on
- April 28th, 2022: We contacted Vittoria Assicurazioni.
- May 2nd, 2022-May 5th, 2022: We sent follow-up messages to Vittoria contacts.
- May 9th, 2022: We emailed new Vittoria contacts and the Italian CERT, who replied the same day, we then proceeded to responsibly disclose the breach to the Italian CERT. The Italian CERT contacted Vittoria’s CISO and one of the buckets was secured.
- May 11th, 2022: We contacted the Italian CERT again as one of the buckets was still open. They replied the same day and told us that they would contact Vittoria’s CISO once more.
- May 13th, 2022: Vittoria’s second bucket was secured.
Customer & Company Data ExposedData belonging to Vittoria Assicurazioni, its employees, training course attendees, and various other unknown parties was exposed across several different file types, including emails, analytics, attachments, avatars, certificates, class details, and export CSV files that contained people’s social security numbers. Emails (over 150,000 files) and certifications (more than 750,000 files) were the two most-prominent datasets. Since both of Vittoria’s buckets’ files are almost identical, file and data counts are taken from the second bucket and do not count duplicate files on the first. Exposed data included:
- Staff PII & sensitive data: Full names, email addresses, subject lines, email contents, email attachments, and certificates awarded by Vittoria.
- Course attendees’ PII & sensitive data*: Full names, class details, job roles, training course attainment, and certificates awarded by Vittoria.
- Unknown people’s PII & sensitive data**: Images of people (potentially customers or employees), full names, email addresses, email subject lines, email contents, email attachments, social security numbers, and various non-sensitive details.
- Sensitive company data: Employees’ email contents (some contain company login credentials), employees’ email subject lines, employees’ email attachments (including training schedules), class details.
Impact on Vittoria, its Employees, & OthersWe do not and cannot know whether malicious actors accessed Vittoria Assicurazioni’s open bucket. However, Vittoria, along with any exposed individuals, could face several security risks if bad actors have obtained the bucket’s data.
- Identity theft & impersonation. Italian social security numbers (or “fiscal codes”) can be decrypted to identify individuals, revealing names, birthdates, genders, and more. Hackers could use SSNs, certificates, and other personal details to impersonate and defraud victims, applying for credit and opening new accounts in their name.
- Phishing, fraud & scams. Hackers could use Vittoria email addresses, email contents, and course documents to send authentic-looking Vittoria emails to other exposed email addresses on the buckets. They could trick users into disclosing personal data, downloading malware, or handing over money.
- Corporate Espionage. A rival business could contact Vittoria email addresses and use course details, PII, and leaked emails to pose as another employee or course attendee.
- Account takeover. Leaked usernames and passwords in emails could allow hackers to takeover company accounts and obtain, destroy, or modify information.