Fake IT Call Unlocked 2 Million Database Queries at WINDTRE, Exposing 365K
1 hour ago / Read about 42 minute
Source:TechTimes

Windtre.it

Italy's data protection authority published a ruling last week imposing a €1.7 million ($1.94 million) penalty on WINDTRE S.p.A. after hackers phoned two retail stores, pretended to be technical-support staff, and walked employees through steps that handed over every authentication factor needed to access the company's internal customer database. The attackers then ran approximately 2 million sequential queries — iterating through customer identifiers one by one — and pulled the personal records of more than 365,000 people before anyone noticed, according to Reuters.

The fine, formally decided on May 14, 2026, and published in the Garante per la protezione dei dati personali's Newsletter No. 549 on July 16, makes WINDTRE one of Italy's most persistently sanctioned telecoms operators under the EU General Data Protection Regulation (GDPR). It also provides one of the clearest documented examples to date of how a social-engineering attack on a retail touchpoint — a technique that requires no malware, no zero-day vulnerability, and no technical sophistication — can defeat an enterprise security stack and empty a customer database at scale.

How Attackers Converted a Phone Call Into 2 Million Database Queries

The two incidents both occurred in February 2025, each at a separate WINDTRE retail point of sale, within days of each other. In the first, attackers telephoned store staff while impersonating technical-support personnel and talked the employee through a sequence of steps that granted the callers remote access to the in-store system. From that position, they executed 66 queries against WINDTRE's internal customer database, exposing the records of 23 individuals. The company filed a mandatory breach notification with the Garante on February 20, 2025, as documented in the Garante's investigation.

The second incident followed the same method but was dramatically larger. Attackers once again called a retail employee, impersonated IT staff, and obtained remote access. This time they executed approximately 2 million sequential database queries — incrementing a customer identifier field with each request — ultimately accessing the records of more than 365,000 people. The second breach notification was filed on February 28, 2025, according to Italian reporting on the Garante's decision.

What makes the second breach notable beyond its scale is what its execution reveals about the database access architecture. According to the Garante's findings, two million queries ran to completion without triggering any alert, rate limit, or automatic access suspension — meaning that store-level credentials, once obtained through social engineering, provided effectively unrestricted read access to WINDTRE's full customer database. The Garante's finding that WINDTRE's own security checks had failed to detect this vulnerability implies that the architecture itself — not just the training of the employee who answered the phone — was the gap the attackers walked through.

The data exposed for the 365,000-plus affected customers included names, addresses, and contact details. For 41,359 of them, the breach reached deeper: attackers also obtained payment-method metadata, including the type of payment instrument (postal order, IBAN, or payment card), partially masked credit-card numbers, and card expiry dates. Complete card numbers were not exposed — a distinction the Garante factored into its penalty calculation, per Reuters.

What the Garante Found — and What It Ordered

The Garante's investigation confirmed two systemic failures that the authority determined had made both breaches avoidable.

The first was inadequate credential and digital-certificate management. The attackers obtained all authentication factors through social engineering — meaning that, according to the Garante's findings, WINDTRE's controls for issuing, distributing, and revoking credentials and digital certificates at the retail-channel level were not robust enough to prevent a compromised store employee from functioning as an open door into core systems, as detailed in the Garante's regulatory decision.

The second failure was the inadequacy of WINDTRE's internal security assessments. The Garante found that the company's own security checks had not detected vulnerabilities that more thorough testing would have surfaced. In other words, the weaknesses were discoverable before the attacks — they simply were not discovered.

The Garante found that together these failings violated GDPR Articles 5(1)(f) and 32 — the regulation's integrity-and-confidentiality principle and its general security-of-processing obligations. Article 32 requires controllers to implement "appropriate technical and organizational measures" proportional to the risk presented by processing personal data, including a process for regularly testing and evaluating those measures' effectiveness.

Beyond the €1,715,600 fine, the Garante issued mandatory remediation orders. WINDTRE must now overhaul the storage and lifecycle management of digital certificates using dedicated, secure credential-management infrastructure; deploy secure password-management tooling across its retail-channel systems; formalize and tighten procedures for the issuance, rotation, revocation, and renewal of all credentials and certificates; and strengthen cybersecurity protocols across its commercial network, per the Garante's published decision. The company has 30 days from the July 16 newsletter publication to report its compliance measures to the Garante.

Read more: GDPR Applies to AI Training Data: EU Ends Web Scraping Free Pass for Every Lab

Why the Fine Is Smaller Than It Sounds

WINDTRE's stated mitigating actions significantly influenced the penalty. The company self-reported both breaches promptly within the 72-hour notification window that GDPR Article 33 requires. It cooperated fully with the Garante's investigators. After the attacks, it revoked the compromised digital certificates and reset affected passwords. And it already had a number of security controls in place at the time of the incidents — multi-factor authentication on some systems, CAPTCHA protections, firewalls, activity logging, and nighttime access restrictions.

The Garante judged those existing controls insufficient against the specific threat that materialized, but acknowledged them as genuine mitigating evidence. The result: the €1.7 million fine equals approximately 0.04% of WINDTRE's reference turnover and roughly 1% of the theoretically applicable maximum sanction under GDPR Article 83. That is a substantially discounted outcome for a breach affecting 365,000 people — though the mandatory remediation orders, which are binding legal obligations backed by separate compounding sanctions for non-compliance, carry their own operational weight, as the Garante's decision documents.

WINDTRE declined to comment publicly on the decision.

WINDTRE Has Been Here Before

This is not WINDTRE's first encounter with the Garante. In July 2020, the authority issued a €16.7 million fine against the operator — a substantially larger penalty — for systematic unlawful direct-marketing activity: unsolicited texts, emails, faxes, and automated calls sent to users who had not consented, data included in public phone directories against users' express objections, and failures in the management of third-party marketing partners. That case turned on consent-and-marketing violations; this one turns on data-security architecture.

In February 2025 — the same month WINDTRE was filing its breach notifications — the Garante also issued a separate fine of over €347,000 against the operator for illegally processing customer data for marketing purposes, per the Garante's newsletter archive.

The recurrence of enforcement actions within a single operator's profile is precisely the pattern the Garante's current enforcement posture is designed to make costly. The CMS 2025/2026 GDPR Enforcement Tracker Report characterizes the Italian authority as the fastest-escalating in the EU, increasingly calibrating its penalty levels to align with decisions from the Irish and French watchdogs. In the second half of 2025, the Garante focused its inspection activity specifically on data breaches involving databases and access controls — the precise category into which the WINDTRE case falls.

Italian Enforcement in a Record Year for European Data Protection

The WINDTRE decision arrives during what is, by most metrics, the most intense period of GDPR enforcement since the regulation came into force in May 2018.

Annual fines across Europe have stabilized at approximately €1.2 billion for the years ending January 2025 and January 2026, reversing an earlier downward trend, according to the DLA Piper GDPR Fines and Data Breach Survey published in January 2026. The cumulative total of all GDPR sanctions has now surpassed €7.1 billion. Separately, breach notifications to European supervisory authorities reached a daily average of 443 in the year to January 2026 — a 22% year-over-year increase and the first time the figure has exceeded 400 per day since the regulation's inception.

Italy has been among the more active participants in this wave. The Garante's largest fine in Italian data-protection history remains the €79.1 million sanction issued against Enel Energia in February 2024 for telemarketing supply-chain failures. In March 2026, the Garante imposed a €31.8 million penalty on Intesa Sanpaolo following an insider-access breach in which a single bank employee made more than 6,600 unauthorized queries into customer records over more than two years. The Intesa case is an instructive parallel to WINDTRE's: in both, the core finding was that database-query activity went undetected for an extended period — external attacker in one case, internal employee in the other.

The WINDTRE fine is modest by comparison, but its mandatory remediation orders signal what the Garante expects operators to demonstrate going forward: not just a post-breach response, but a pre-breach architecture that would have made 2 million sequential database queries impossible from a store-level login.

Read more: GDPR Driver Monitoring Fails Safety Defense: Securitas AI Cameras Ruled Unlawful

What WINDTRE Customers Should Know Now

Customers whose data was exposed in either incident remain at elevated risk of targeted follow-on attacks. Phishing and vishing attempts using the exposed personal details and partial payment information are the most likely downstream threat, according to Italian cybersecurity analysis of the breach. Any unsolicited communication claiming to be from WINDTRE and asking for account verification, payment updates, or security confirmations should be treated with heightened suspicion regardless of how personalized it appears.

WINDTRE has already begun mandatory customer notification, as required under GDPR Article 34 when a breach is likely to result in a high risk to individuals' rights and freedoms. Customers who believe they may have been affected can consult WINDTRE's official privacy contacts for confirmation. Complete payment card numbers were not exposed in either breach — meaning cards do not need to be replaced solely on the basis of this incident — but the partially masked numbers and expiry dates in the subset of 41,359 affected customers do provide material useful for social engineering follow-up attacks, as confirmed by the Garante's official newsletter.

How a Phone Call Defeats a Security Stack — and What Changes That

The structural lesson in the WINDTRE case is not primarily about training. Staff training is necessary and the Garante has required WINDTRE to address it, but training alone does not prevent 2 million database queries from executing once credentials are compromised. The enforcement action implicitly demands something harder to mandate: a security architecture in which the blast radius of a compromised store credential is limited by design, as called for by GDPR Article 32's security-of-processing standards.

This means, at minimum, query-volume anomaly detection at the database layer that flags and suspends sessions executing high-volume sequential reads. It means rate limiting on API or SQL queries generated through retail-channel credentials. It means row-level access controls that restrict what a store employee's account can retrieve to data relevant to that store's transactions. And it means credential distribution systems that verify the identity of the recipient — not just the person requesting the credential on behalf of the recipient — before issuing authentication factors by phone or digital channel.

The attackers in the WINDTRE case called a store, asked politely, and were handed the keys to a database containing the records of hundreds of thousands of people. The Garante's remediation orders are intended to ensure that the next call like that ends differently. Whether they succeed depends on whether WINDTRE treats the 30-day compliance report as a minimum legal threshold or as an opportunity to rebuild from the access-control layer up, as required by the Garante's published ruling.


Frequently Asked Questions

What data was exposed in the WINDTRE breach, and am I at risk?

For the vast majority of the 365,000-plus affected customers, the exposed data consists of names, addresses, and contact details. For a subset of 41,359 customers, attackers also obtained payment-method metadata — specifically, the type of payment instrument used (postal order, IBAN, or payment card), partially masked credit-card numbers, and card expiry dates. Complete card numbers were not exposed. Customers in the affected group face an elevated risk of targeted phishing or vishing attacks that use the personal details to appear credible. Any unsolicited communication asking for payment updates or account verification should be verified through WINDTRE's official contact channels only, according to Reuters reporting.

Why did 2 million database queries go undetected, and what does WINDTRE have to fix?

The Garante's decision implies that retail-channel credentials provided unrestricted, rate-unlimited read access to WINDTRE's customer database — enabling the attackers to run approximately 2 million sequential queries without triggering any alert or automatic suspension. The remediation orders require WINDTRE to implement secure credential-vault infrastructure for digital certificates, deploy proper password-management tooling, and formalize lifecycle controls for all credentials — but the underlying architectural gap that allowed 2 million queries to complete undetected points to missing database-layer controls: rate limiting, query-volume anomaly detection, and session-level access restrictions based on the querying account's role. WINDTRE must report its remediation steps to the Garante within 30 days, per the Garante's decision.

How does Italy's Garante decide the size of a GDPR fine?

GDPR Article 83 allows fines of up to €10 million or 2% of global turnover for Article 32 security violations, and up to €20 million or 4% of global turnover for Article 5 principle violations — whichever is higher in each tier. The Garante weighs both aggravating factors (scope of breach, nature of data, inadequacy of existing controls) and mitigating ones (prompt notification, cooperation, post-breach remediation, absence of intentional conduct). In WINDTRE's case, the final penalty of €1.7 million represents approximately 0.04% of the company's reference turnover — a heavily discounted outcome driven by the strength of the mitigating factors, particularly the prompt 72-hour self-reporting of both incidents, according to the DLA Piper GDPR Fines and Data Breach Survey.

Should WINDTRE's ownership by Hong Kong's CK Hutchison concern European customers?

CK Hutchison Holdings — a Hong Kong-listed conglomerate controlled by the Li family — has been WINDTRE's sole owner since September 2018. WINDTRE's customer data is processed under GDPR in Italy, which requires European data-protection standards regardless of the parent company's domicile. Following Hong Kong's National Security Law, enacted in June 2020, the legal boundary between mainland Chinese data-access obligations and HK-incorporated entities has become less clearly defined. However, no confirmed instances of state-level access requests to WINDTRE's systems have been reported, and the Garante's current enforcement action concerns domestic data-security architecture, not cross-border data transfers. Readers who are concerned can consult WINDTRE's published data protection disclosures for information on where their data is stored and processed.