Italy: Nearly 100,000 ID scans from hotel guests found on dark web

Italian authorities have discovered that a malicious actor has obtained tens of thousands of high-resolution scans of passports, ID cards and other documents taken from hotel guests during check-in.

The hacker, known as “mydocs,” posted 90,600 images for sale on the dark web in several batches between August 8th and 12th. The actor claimed to have obtained them through unauthorized access to hotel computer systems between June and August 2025.

The Agency for Digital Italy (AgID) believes that the incident affected 10 hotels, with more discoveries possible in the coming days. The illegal sale was detected with the help of its national cybersecurity protection body, the Computer Emergency Response Team (CERT-AGID), the agency announced last Wednesday.

“This data, once stolen, can be used for fraudulent purposes: from creating false documents to opening bank accounts, to social engineering attacks and digital identity theft, with potentially serious consequences for the victims, both financially and legally,” says AgID.

No official information has been released about the hotels involved. Cybersecurity company Hackmanac, however, claims that it has identified the hotels in question, naming several Italian hotels and one Spanish resort.

The Italian Data Protection Authority (DPA) has announced its own investigation and called on the affected hotels to immediately protect their data and warn affected customers. Tourist accommodation providers were also urged to process data through the state police-operated Alloggiati web portal for online guest registration.

Last year, InfoCert, the company that provides Italian digital identity service SPID, announced its data breach, including full names, tax codes, phone numbers and email addresses. 

Article Topics

cybersecurity  |  digital identity  |  identity document  |  Italy