A threat actor claims to have stolen 2.3 terabytes of data after breaching Almaviva, an IT services provider that counts Italy’s FS Italiane Group among its clients, and posted the files on a dark web forum. The actor described the leak as containing confidential documents and sensitive company information.
Andrea Draghetti, Head of Cyber Threat Intelligence at D3Lab, wrote on LinkedIn that the leaked data is recent and includes documents from the third quarter of 2025, and he ruled out the possibility the files were recycled from a 2022 Hive ransomware incident.
Draghetti said the dump appears organized into compressed archives by department or company and that it contains internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data and complete datasets from several FS Group companies, and that the structure is consistent with the modus operandi of ransomware groups and data brokers active in 2024–2025.
Almaviva is a major IT services provider with more than 41,000 employees across nearly 80 branches and an annual turnover of about $1.4 billion last year. FS Italiane Group is a 100% state-owned railway operator with over $18 billion in annual revenue that manages rail infrastructure, passenger and freight transport, bus services and logistics chains.
Almaviva confirmed the incident in a statement to local media, saying security monitoring identified and isolated a cyberattack that affected corporate systems and resulted in the theft of some data. The company said it activated security and counter-response procedures, informed national authorities including the police, the national cybersecurity agency and the data protection authority, and that an investigation is ongoing.
It is currently unclear whether passenger information is included in the leak or whether other clients beyond FS are affected; the investigation is ongoing.