Decoding the world of cybersecurity

WINDTRE faces €1.7m penalty after retail breaches

Italy’s privacy regulator has fined WINDTRE after attackers exploited retail support processes and weak credential and certificate controls to access data belonging to more than 365,000 customers.

WINDTRE faces €1.7m penalty after retail breaches
Summary
  • Two intrusions exposed personal data belonging to more than 365,000 WINDTRE customers, including payment information for 41,359 people.
  • Attackers posed as support technicians and persuaded employees at two retail outlets to help them access company systems.
  • Italy’s privacy regulator identified failures in credential management, digital certificates, password controls, and security testing.

Italy’s privacy regulator has fined WINDTRE €1,715,600 after finding that weaknesses in the telecoms operator’s security controls contributed to two intrusions affecting more than 365,000 customers.

The incidents, notified to the regulator in February 2025, began when attackers impersonated technical support staff and persuaded employees at two retail outlets to help them access company systems. The attackers subsequently extracted identity and contact information belonging to WINDTRE customers, according to Italy’s data protection authority, the Garante.

Payment-related information was also involved for 41,359 people. The affected records included International Bank Account Numbers, postal payment information, partially masked card numbers, and card expiry dates.

In its enforcement notice, the Garante identified deficiencies in the management of access credentials and digital certificates. It also found that WINDTRE’s security checks had failed to identify vulnerabilities that should have been discoverable through more extensive testing.

The regulator concluded that the shortcomings breached the General Data Protection Regulation’s requirements concerning data integrity, confidentiality, and security. Alongside the financial penalty, it ordered WINDTRE to strengthen the protection of credentials and certificates, introduce safer password-management tools, and improve its testing and security procedures.

WINDTRE’s prompt notification, remedial work, and cooperation with the investigation were taken into account when the penalty was calculated. The decision therefore distinguishes between the controls in place before the incidents and the operator’s conduct after they were detected.

Retail access reached central systems

Although the attackers relied on social engineering, the Garante did not reduce the incidents to an employee-awareness failure. The deception succeeded because retail access, support processes, credentials, certificates, and technical checks did not contain the consequences of a successful approach.

Telecoms retail environments are difficult to secure because employees need to resolve account problems quickly, work with identity data, and rely on central applications and support functions. Attackers who understand the terminology and working practices of those environments can create convincing requests without exploiting a software vulnerability.

Support interactions involving privileged actions require independently verified channels, strong authentication, narrowly scoped permissions, device assurance, and monitoring for unusual credential or certificate activity. Retail accounts should also be separated from systems and datasets that are not required for the employee’s role.

Digital certificates can create a persistent route of trust if issuance, storage, revocation, and monitoring are weak. Resetting a user password may not close an incident where a certificate remains active or where an attacker has obtained another form of machine or application identity.

The findings on security testing extend the case beyond access administration. Assessments that examine individual systems but do not test how retail identities, support procedures, certificates, and central applications interact may miss the route an attacker is most likely to use.

Operational controls shape GDPR liability

European privacy enforcement increasingly examines whether technical and organisational measures worked before an incident, rather than stopping at notification speed or the existence of written policies. Prompt disclosure and cooperation can reduce a penalty, but they do not remove accountability for weaknesses that enabled access.

Telecoms operators hold identity, billing, communications, and payment information at a scale that allows a local control failure to expose a large customer population. Their networks and customer accounts are also used by other organisations for authentication, communication, and service delivery.

The WINDTRE decision connects identity governance directly to regulatory liability. Investment in perimeter controls and monitoring provides limited protection where support processes, certificates, and distributed employee access permit attackers to move towards central systems.

Organisations with branches, dealerships, franchisees, or outsourced service desks face comparable exposure. Their security design has to assume that some persuasive approaches will succeed, while ensuring that one employee interaction cannot produce broad access or large-scale data extraction.

×