Maggioli victim of ransomware, many municipalities involved: how serious the damage is

On 25 September starting at 3:00, Maggioli’s systems were hit by a cyber attack with a ransomware. Event that Maggioli communicated to the Privacy Guarantor and to some interested bodies, such as – as far as is known – hundreds of municipalities.

The cyber attack on the Maggioli group

The Maggioli group has an international presence, being present not only in Italy, but also in Spain, Colombia, Belgium and Greece; boasts 140,000 customers and 25,000 installed software.

The services are numerous and aimed at public administrations, professionals and companies. Limiting ourselves to a very brief exposition of the services offered to Italian local authorities, we find digitization solutions for all the typical offices of a municipality, whether they are software for land management, systems for contracting stations, the management of financial activities or local police . Among the services offered there are also Cyber ​​Security solutions.

Returning instead to the dynamics of the facts, on the night of September 25 the attack on Maggioli’s systems began, which became aware of the event 11 hours later, following anomalies found on the systems.

The event is obviously significant, as the company had to, pursuant to Art. 33 write to Garante privacy, in how much personal data existed on the compromised servers and communicate to all customers, pursuant to art. 28, to give them evidence of the facts and therefore provide for the typical obligations of Art. 33.

We remind you that the documentation obligations, notification to the Guarantor and communication to the interested parties must be assessed according to different criteria and complied with as the significance of the data breach increases.

Maggioli’s note

In the note, the company defines the incident as “a cyber incident that was traced to a sophisticated attack directed at some of the corporate servers” through “a new type of ransomware, created specifically by cyber criminals in order to hit the IT infrastructure of society”.

The systems for penalties of the highway code and taxes are affected

The notes coming to the Italian municipalities vary depending on which of the services affected by the attack the same has in place with the software house. The cryptolocker called “CONTI” seems to have specifically targeted the “Maggioli Tributi” business unit.

Compromised services of which we are sure are the “Concilia Service” service, which is a system for the management of administrative sanctions relating to violations of the rules of the Highway Code and other administrative regulations, and MT Tributi, often adopted by the Accounting offices, but there may be others.

The first note of 30 September was concerned with reporting mainly the temporary unavailability of data. He also explained that “the information contained therein could also include personal data such as personal data of taxpayers, physical and / or electronic domiciles, taxpayers’ requests, debt / credit situations, cadastral data / real estate possessions, vehicle data, current accounts and employers of work”.

Maggioli in both communications, the first and partial on September 30, and the second with more information on October 01, as well as in the press release published on its websites, immediately took care to reassure customers by explaining the remedial actions implemented and inform of the activation of a task force of experts to manage and respond to the incident, activating the data recovery procedures.

Indeed, and we could not have expected less from a company like Maggioli, the data was promptly recovered from the system back-ups and made available again to customers.

Maggioli ransomware attack, don’t worry?

If the accident were limited to what has been described so far, all in all we could also sleep peacefully. The story of the facts would seem to report the news of an attack, which made the systems inoperative for a short period, but thanks to the typical measures of operational continuity, a pair of data was made operational quickly, creating only some temporary disservice, for example local authorities and / or citizens.

A ransomware, however, is not always and only a crypto locker, that is a malicious software that encrypts the data in the system and makes them unusable, until the ransom is paid and the decryption password is received by the attackers.

While ransomware is generally classified as an availability violation, it could also result in a privacy violation.

In fact, ransomware can also exfiltrate data and sometimes disguise its traces. The Guidelines 01/2021 on Examples regarding Data Breach Notification of EDPB (European Data Protection Board) describes the circumstances, precautionary measures and obligations under the GDPR in 4 different dynamics of ransomware attack, and explains that the only way to have the certainty that there has not been a confidentiality problem is that of having previously adopted an excellent encryption system and that the encryption key was not violated during the attack.

Maggioli in the note claims to have activated a cybersecurity team, to investigate the logs present on SIEM systems and firewalls to trace the source of the problem and identify evidence regarding the possible exfiltration of data.

Both notes as well as the Press release they reiterate that “there is currently no evidence that personal information has been stolen”. Maggioli, contacted by Cybersecurity360 regarding the extent and nature of the damages, refers only to the press release.

What worries

This leaves a margin of doubt, especially since the malicious software was specially conceived for Maggioli and it seems strange that the attackers did not imagine the existence of data back up, among the technical measures adopted by Maggioli, as recommended by EDPB, the cryptography does not appear, having which the notification to the Guarantor and the communication to the customers with the consequent mediaticity of the case, would not have been necessary.

The technical security measures adopted by Maggioli, which we report for information, are: virus protection; firewall; operational continuity, backup and disaster recovery mechanisms; penetration test and vulnerability assessment; intrusion detection systems; authentication and authorization systems; centralized updating of operating systems.

The compromised servers had Vmware Vsphere and Windows Server operating systems, and were present in the farms of Santarcangelo, Orzinuovi, Forlì, Thiene and L’Aquila. The fact that five different sites were breached and that as the October 1 note points out, six days after the breach, “the number of those affected has not yet been determined” underlines the scale and scale of the attack.

Pending new developments in the case, on the one hand the Maggioli team and on the other hand the DPOs of the Local Authorities involved will have to work to evaluate case by case the severity of the data breach.

Times are tight and the 72 hours provided for by Art. 32 of the European Regulation 679/2016 seem to have expired.


See also  What do we know about the 4 municipalities where 18-29 year olds are not yet vaccinated? - The financial

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.