Milan, 16 July (LaPresse) – The Data Protection Authority has imposed a fine of €1,715,600 on Wind Tre spa for “serious shortcomings in the security of the company’s systems, which led to two instances of unauthorised access and the exfiltration of personal data belonging to over 365,000 customers. For 41,359 of these customers, the data breach also involved information relating to the payment methods used, such as postal payment slips, IBANs, credit card numbers (with the number partially obscured) and expiry dates”. So stated the Data Protection Authority in its newsletter. The Authority’s investigation – “launched following the two data breaches notified by the company in February 2025” – established that the hackers, posing as support technicians, persuaded staff at two retail outlets to grant access to the company’s systems, thereby managing to exfiltrate customers’ personal and contact details. In particular, the Data Protection Authority found “shortcomings in the management of login credentials and digital certificates”. “The security checks carried out by the company,” it added, “had not identified vulnerabilities that would have been detectable through more thorough checks. These weaknesses enabled the hackers to access the company’s systems and steal personal data”. The Authority established a “breach of the principles of data integrity and confidentiality, and of security obligations” as set out in the GDPR, and ordered Wind Tre to “strengthen its systems for protecting login credentials and digital certificates, to introduce secure tools for password management, and to improve its IT security procedures to prevent similar incidents in the future”. “In determining the amount of the fine”, the Data Protection Authority “took into account the prompt notification of the incident, the corrective measures adopted following the attack and the cooperation provided by the company during the investigation”.
Data Protection Authority fines Wind Tre 1.7 million: data security shortcomingsv

Milan, 16 July (LaPresse) – The Data Protection Authority has imposed a fine of €1,715,600 on Wind Tre spa for “serious shortcomings in the security of the company’s systems, which led to two instances of unauthorised access and the exfiltration of personal data belonging to over 365,000 customers. For 41,359 of these customers, the data breach also involved information relating to the payment methods used, such as postal payment slips, IBANs, credit card numbers (with the number partially obscured) and expiry dates”. So stated the Data Protection Authority in its newsletter. The Authority’s investigation – “launched following the two data breaches notified by the company in February 2025” – established that the hackers, posing as support technicians, persuaded staff at two retail outlets to grant access to the company’s systems, thereby managing to exfiltrate customers’ personal and contact details. In particular, the Data Protection Authority found “shortcomings in the management of login credentials and digital certificates”. “The security checks carried out by the company,” it added, “had not identified vulnerabilities that would have been detectable through more thorough checks. These weaknesses enabled the hackers to access the company’s systems and steal personal data”. The Authority established a “breach of the principles of data integrity and confidentiality, and of security obligations” as set out in the GDPR, and ordered Wind Tre to “strengthen its systems for protecting login credentials and digital certificates, to introduce secure tools for password management, and to improve its IT security procedures to prevent similar incidents in the future”. “In determining the amount of the fine”, the Data Protection Authority “took into account the prompt notification of the incident, the corrective measures adopted following the attack and the cooperation provided by the company during the investigation”.
