Data from Italy’s national railway operator, the FS Italiane Group, has been exposed after a threat actor breached the organization’s IT services provider, Almaviva.
The hacker claims to have stolen 2.3 terabytes of data and leaked it on a dark web forum. According to the threat actor’s description, the leak includes confidential documents and sensitive company information.
Almaviva is a large Italian company that operates globally, providing services such as software design and development, system integration, IT consulting, and customer relationship management (CRM) products.
Andrea Draghetti, Head of Cyber Threat Intelligence at D3Lab, says the leaked data is recent, and includes documents from the third quarter of 2025. The expert ruled out the possibility that the files were recycled from a Hive ransomware attack in 2022.
“The threat actor claims the material includes internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and even complete datasets from several FS Group companies,” Draghetti says.
“The structure of the dump, organized into compressed archives by department/company, is fully consistent with the modus operandi of ransomware groups and data brokers active in 2024–2025,” the cybersecurity expert added.
Source: Andrea Draghetti
Almaviva is a major IT services provider with over 41,000 employees across almost 80 branches in Italy and abroad, and an annual turnover of $1.4 billion last year.
FS Italiane Group (FS) is a 100% state-owned railway operator and one of the largest industrial companies in the country, with more than $18 billion in annual revenue. It manages railway infrastructure, passenger and freight rail transport, and also bus services and logistics chains.
While BleepingComputer’s press requests to both Almaviva and FS went unanswered, the IT firm eventually confirmed the breach via a statement to local media.
“In recent weeks, the services dedicated to security monitoring identified and subsequently isolated a cyberattack that affected our corporate systems, resulting in the theft of some data,” Almaviva said.
“Almaviva immediately activated security and counter-response procedures through its specialized team for this type of incident, ensuring the protection and full operability of critical services.”
The company also stated that it has informed authorities in the country, including the police, the national cybersecurity agency, and the country’s data protection authority. An investigation into the incident is ongoing with help and guidance from government agencies.
Almaviva promised to transparently provide updates as more information emerges from the investigation.
Currently, it is unclear if passenger information is present in the data leak or if the data breach is impacting other clients beyond FS.
BleepingComputer has contacted Almaviva with additional questions, but we have not received a response by publication time.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.