Italian passport scans from approximately 100,000 hotels illegally sold on the dark web
Italian Hotel Data Breach Exposes Thousands of Passports and ID Cards
A significant cyberattack on Italian hotel systems has led to the theft of tens of thousands of high-resolution scans of tourists' passports and ID cards, according to the Agency for Digital Italy (AgID). The stolen data was advertised for sale on the dark web between August 9 and 11, with prices ranging from €800 to €10,000.
The investigation has found that the stolen data was bundled and offered to multiple buyers, with at least ten hotels confirmed as victims, including Ca' dei Conti in Venice and Hotel Continental in Trieste. The seller, using the handle 'médoc', claimed the data was harvested after unauthorized access to hotel IT systems between June and August 2025.
This incident highlights a significant vulnerability in hotel IT systems in Italy, where unauthorized access to booking and check-in databases led to the theft of sensitive personal data, including passports and identity documents. The stolen data can be used for creating fake documents, opening fraudulent bank accounts, or committing digital identity theft, posing serious financial and legal risks for victims.
To protect their identities, travelers should take the following precautions:
- Minimize sharing physical ID copies: Avoid leaving physical copies of passports or ID cards unless strictly required and verify how the data will be stored or protected.
- Use official digital registration systems when possible: In Italy, the state police's Alloggiati web portal is recommended for secure online guest registration, offering better protection than some hotel internal systems.
- Monitor financial and online accounts vigilantly: After traveling, watch for unauthorized activity in bank accounts, credit cards, and online profiles to detect early signs of identity fraud.
- Report suspicious activity immediately: Contact banks, credit agencies, and local authorities if you suspect your identity has been compromised.
- Use secure and reputable hotels: Prefer hotels with strong cybersecurity measures and official complaint channels.
- Consider identity theft protection services: These can help detect misuse based on leaked personal data.
Hotels and booking partners are advised to patch systems, harden remote access, rotate credentials, encrypt stored scans, and purge what they don't need, with regular third-party security audits being necessary. When traveling, it is recommended not to email passport scans without encryption and to show your document rather than handing over your phone with an open file at the desk.
The investigation into this data breach is still active, and more impacted properties may be named in the days ahead. Cybersecurity teams are currently tracing the listings and contacting identified venues. Weak passwords, out-of-date software, and exposed remote access can make hotel IT systems vulnerable to unauthorized access.
In the EU, victims can complain to their national data protection authority if their data is misused. Passport and ID scans can be used by crooks to forge documents, open bank or phone accounts, apply for loans, or hijack digital identities. AgID has issued urgent guidance to hospitality operators and notified law-enforcement.
While this breach represents an alarming example of ID theft risks from hotel systems in Italy, heightened vigilance and protective actions can reduce potential damage to travelers’ identities.
- This Italian hotel data breach, revealing thousands of passports and ID cards, underscores the importance of strong cybersecurity measures in the technology sector, particularly in the hospitality industry.
- General-news outlets have reported that the stolen data, including high-resolution scans of passports and ID cards, can be used in various crimes, such as creating fake documents, committing digital identity theft, and opening fraudulent bank accounts, posing significant financial and legal risks.
- In response to the breach, experts suggest travelers adopt lifestyle changes to safeguard their identities, including using official digital registration systems when available, monitoring financial and online accounts vigilantly, and considering identity theft protection services.
