Wind Tre Fined €1.7 Million After Data Breaches Exposed Information of More Than 365,000 Customers
Key Takeaways
- €1.7 Million GDPR Fine: Italy's data protection authority fined Wind Tre €1,715,600 for security failures that contributed to two data breaches.
- 365,000+ Customers Affected: Personal data belonging to more than 365,000 customers was exfiltrated, with payment-related information compromised for 41,359 individuals.
- Credential Management Failures: The authority identified deficiencies in the management of login credentials and digital certificates, along with inadequate security audits that failed to detect exploitable vulnerabilities.
- Corrective Measures Ordered: Wind Tre must strengthen credential protections, deploy secure password management tools, and improve IT security procedures to prevent future incidents.
Deep Dive
Italy's data protection authority has fined telecommunications provider Wind Tre €1.7156 million after finding serious security deficiencies that enabled attackers to gain unauthorized access to company systems and exfiltrate the personal data of more than 365,000 customers. The decision follows an investigation by the Italian Data Protection Authority, known as the Garante per la Protezione dei Dati Personali, into two data breaches that the company reported in February 2025.
According to the authority, attackers posing as technical support personnel persuaded employees at two Wind Tre retail stores to grant them access to corporate systems. That access enabled the attackers to extract customers' personal and contact information. For 41,359 affected customers, the compromised data also included information related to payment methods, including postal payment slips, IBANs, and credit cards with partially obscured card numbers and expiration dates.
The Garante concluded that the incidents were made possible by shortcomings in the company's management of login credentials and digital certificates. It also found that Wind Tre's security audits failed to identify vulnerabilities that should have been detected through more comprehensive testing, allowing attackers to infiltrate company systems and steal customer data.
As a result, the authority determined that Wind Tre had violated the GDPR's principles of integrity and confidentiality as well as its security obligations under the regulation.
Security Improvements Ordered
In addition to the financial penalty, the Garante ordered Wind Tre to strengthen protections surrounding digital credentials and certificates, introduce secure password management tools, and enhance its IT security procedures to reduce the risk of similar incidents.
When calculating the €1,715,600 fine, the authority said it considered several mitigating factors, including the company's prompt notification of the breaches, the corrective measures implemented following the attacks, and its cooperation throughout the investigation.
The decision shows regulators' continued focus on whether organizations maintain effective technical and organizational safeguards to protect personal data, particularly where preventable weaknesses in identity and access management contribute to large-scale data breaches.
The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

