Massive Data Breach Hits Luxury Italian Hotels
In one of the most alarming cyberattacks to strike Europe’s hospitality sector in recent years, a criminal hacking group has infiltrated the booking systems of several luxury hotels across Italy. The cybercriminals, known as “My Docs,” have stolen tens of thousands of guests’ personal identification documents, including high-resolution scans of passports and national ID cards. These sensitive files are now being openly advertised for sale on the dark web at prices ranging from €800 to a staggering €10,000 each, depending on the rarity and value of the data.
Targets Include Venice, Trieste, and Capri
The breach has impacted some of Italy’s most exclusive tourist destinations, including iconic properties in Venice, the port city of Trieste, and the glamorous island of Capri. According to Italian authorities, the hackers began their illegal access in June, exploiting weaknesses in digital reservation platforms used by multiple high-end hotels. Once inside, they exfiltrated detailed personal data collected during guest check-ins, a mandatory process under Italian law that requires hotels to retain copies of travelers’ identification.
How the Hack Unfolded
Investigators from Italy’s cybercrime unit revealed that “My Docs” utilized advanced penetration techniques to bypass security protocols in hotel management systems. Once they gained administrator-level access, they downloaded archives containing years’ worth of guest registrations. The stolen data includes not only passports and ID cards but in some cases, visas, driver’s licenses, and supporting travel documentation—making it a goldmine for identity thieves.
Dark Web Marketplace Sales
The stolen identities are currently being marketed on dark web forums notorious for trafficking in stolen data. Italy’s national digital security agency (AgID) warns that the documents are being priced according to their “utility” for criminal use. For example, passports from certain countries, or those belonging to public figures and wealthy individuals, can fetch higher prices—sometimes exceeding €10,000. These documents can be exploited for a range of illegal activities, from opening fraudulent bank accounts to enabling cross-border smuggling.
Broader Implications for Global Tourism
Cybersecurity experts caution that this breach highlights a growing threat to the global tourism industry, where digital systems often handle enormous volumes of personal data but are not always equipped with enterprise-grade security measures. The Italian case underscores the urgent need for hotels and resorts worldwide to strengthen their cybersecurity defenses, implement multi-factor authentication, and encrypt sensitive guest information to prevent similar incidents.
Authorities Respond, But Risks Remain
Law enforcement agencies across Europe are now collaborating to track down the perpetrators and dismantle their dark web sales channels. However, given the nature of cybercrime, once personal data is leaked, it can circulate indefinitely, making full recovery virtually impossible. Travelers are being urged to monitor their financial accounts and consider placing fraud alerts if they have recently stayed in any of the affected regions.
A Wake-Up Call for the Hospitality Sector
This incident serves as a stark reminder that in today’s interconnected world, even the most luxurious hotels are not immune to digital threats. As the tourism industry continues to digitize guest experiences, the value of robust cybersecurity measures can no longer be underestimated. Without decisive action, such breaches may become not an exception, but the norm.