Italy’s digital agency AGID said on Wednesday that a cybercriminal’s claims surrounding a wave of data thefts affecting hotel booking systems are credible, with authorities confirming that ten hotels have been affected and warnings that number could rise in the coming days.
In posts on a cybercrime forum, the individual or group operating under the alias mydocs claimed to have access to hundreds of thousands of guests’ sensitive identity documents dating from June to August. AGID noted the allegations as part of its ongoing assessment, and cited the possibility that the scale of the breach could expand as investigations continue.
AGID said it intercepted an illegal sale of the documents in question, a finding that the agency says supports the authenticity of the data. The posturing on the forum, which can feature inflated or false claims, was not treated as conclusive proof until the sale activity was observed by authorities. The advisory distributed by AGID warns of scams that could target breach victims, noting the potential for fraud from stolen documents.
The advisory emphasizes that stolen identity documents can be used to forge credentials, open bank accounts, or fuel social-engineering attacks with wide-ranging consequences for victims. In its notes, AGID urges vigilance among both hoteliers and guests and reminds the public to monitor for suspicious activity tied to affected bookings.
One affected property cited by the alleged data thief – a four-star Borghese Contemporary Hotel in Rome with just 24 beds – has been cited as having more than 7,000 documents listed. The discrepancy between that figure and the hotel’s size has prompted officials to caution that either the breach spans many years of visitors or the forum claims may be inflated. The investigation continues as authorities gather further data and corroborate the scope of the intrusion.
The Italian data protection authority, the GPDP, issued a separate statement on Wednesday confirming that some hotels reported irregularities in the wake of the attacks. The GPDP urged facilities that have not yet reported breaches to do so promptly to enable protective steps and to notify affected guests, as required by law. It also stressed that anyone who suspects their documents were unlawfully stolen should contact the accommodations where they stayed for confirmation. The GPDP has launched a formal investigation into the thefts.