Italy Fines WINDTRE €1.7M for Breaches Exposing 365K Customers

Italy's Garante fined telecom operator WINDTRE €1.7 million for two 2024 data breaches in which social engineering attacks exposed data on 365,000 customers.
Table of Contents
    Add a header to begin generating the table of contents

    Italy’s data protection authority, the Garante per la protezione dei dati personali, fined WINDTRE S.p.A. €1.7 million on July 16, 2026, for “serious shortcomings” in its data security systems that allowed attackers impersonating IT support technicians to access corporate systems and compromise the personal data of more than 365,000 customers.

    How Attackers Posing as IT Support Bypassed WINDTRE’s Corporate Access Controls

    The two data breaches at the center of the Garante’s enforcement action share the same attack method. Attackers posed as technical support personnel — impersonating IT support contractors — and convinced employees at WINDTRE retail points of sale to grant system access. The social engineering technique exploited the trust that customer-facing employees extend to individuals presenting as support technicians. WINDTRE’s corporate identity verification controls did not prevent that trust from being abused.

    WINDTRE submitted breach notification reports to the Garante in February 2025. The Garante’s investigation and fine announcement followed approximately 17 months later, a timeline consistent with Italian DPA investigations of multi-breach enforcement actions.

    365,000 Customer Records Exposed, Including 41,359 Payment Accounts

    Of the more than 365,000 WINDTRE customers whose personal and contact data was compromised, 41,359 had sensitive payment information accessed. Compromised payment data included bank account details, partially obscured credit card numbers, and credit card expiration dates — categories of information that enable financial fraud against account holders.

    The Garante’s finding that WINDTRE failed to implement “adequate technical and organizational security measures” under Article 32 of the EU General Data Protection Regulation focuses specifically on WINDTRE’s failure to prevent unauthorized physical access to systems through its retail workforce. Article 32 obligations under the GDPR extend beyond software and network security to encompass procedural and organizational controls — including the identity verification procedures an organization requires before granting any individual, including apparent support personnel, access to systems containing customer data.

    How the 2026 Garante Fine Differs from WINDTRE’s 2020 Enforcement Action

    The July 2026 fine is legally distinct from WINDTRE’s prior Garante enforcement action. In 2020, the Garante fined Wind Tre €17 million — ten times the current penalty amount — for GDPR violations related to unlawful marketing data collection. That earlier enforcement addressed how WINDTRE processed customer data for commercial purposes. The July 2026 fine addresses physical access control failures that enabled attackers to compromise customer data through social engineering — a different category of GDPR violation under the security obligation framework.

    The contrast between the two enforcement actions illustrates that the Garante applies GDPR enforcement across the full spectrum of data protection obligations: from lawful basis for commercial data use, addressed in the 2020 action, to technical and organizational security measures preventing unauthorized physical access, addressed in the 2026 action.

    Social Engineering as a Failure of GDPR Article 32 Organizational Controls

    The WINDTRE enforcement action positions successful social engineering as a failure of organizational security measures under Article 32 — not merely a criminal act by external parties for which the company bears no accountability. GDPR’s Article 32 requires data controllers to implement “appropriate technical and organizational measures” to ensure a level of security appropriate to the risk. European data protection authorities have increasingly interpreted that standard to include human and procedural factors: staff training, identity verification protocols for support personnel, and access controls at customer-facing retail locations.

    Telecom operators handle a broad range of sensitive customer data — communications records, billing histories, and, as the WINDTRE breach demonstrates, financial account details linked to service subscriptions. The Garante’s enforcement expansion from digital data practices to physical access failures at retail points of sale signals that EU telecoms cannot address GDPR compliance as a purely technical cybersecurity obligation while leaving the human and procedural controls governing customer-facing operations unaddressed.

    The exposure of payment data for 41,359 customers through a social engineering attack at retail locations rather than through a network intrusion demonstrates that an attacker who successfully impersonates support personnel can access the same customer data that technical controls are designed to protect. The attack’s effectiveness depended entirely on employee behavior in a physical retail setting — a dimension of data security that GDPR Article 32 now clearly encompasses within the Garante’s enforcement reach.

    Related Posts