Italian digital identity provider suffers data breach, 5.5M customers affected

InfoCert has had millions of its customers’ personal data stolen and put up for sale.

A leading European certification authority and provider of digital identity services such as Italy’s SPID (Public Digital Identity System), InfoCert posted a public notice on its website detailing the data breach on December 27. However, the notice has since been taken down.

Seen by Biometric Update, the notice said there had been an “unauthorized publication of personal data related to customers.” The personal data – which includes full names, tax codes, phone numbers and email addresses – of 5.5 million customers were taken.

According to a source, part of the stolen data was published and advertised on a dark web forum, with the entire database on sale for a price.

InfoCert claimed the leak came about via the systems of a third-party supplier, to which customers were registered, and that “illicit activity” had been committed against this supplier. InfoCert said that its own systems had not been compromised and nor had its service access credentials or passwords.

The company said that it is investigating the matter, and will report to the relevant authorities.

InfoCert is part of Tinexta Group and an Italian company operating in the IT security, digital signatures, and digital identity industry. It manages some 1.8 million active SPID identities and is one of the 12 accredited providers of such services in Italy where there are 39 million active SPID.

Cybersecurity and trust is an ongoing challenge in the digital identity market and analysts have elaborated on the global trends going into 2025, with use of AI and lack of understanding around cybersecurity cited as some major concerns.

Article Topics

access management  |  data protection  |  digital ID  |  digital identity  |  InfoCert.Digital  |  Qualified Trust Service Provider (QTSP)  |  SPID