90,000 Traveler Identities Stolen in Italian Hotel Data Breaches

Cybercrime has evolved into a sophisticated global menace, plaguing every sector—including travel. From targeted attacks in Italy to Spain’s controversial data collection decrees and high-profile breaches at major airlines, travelers can no longer afford to treat the protection and handling of their personal information lightly.

Hackers Target Italian Hotels, Stealing 90,000 Identities

The Agency for Digital Italy (AgID) and Italy’s Postal Police recently dismantled the hacking ring known as “Mydocs,” which specialized in selling stolen personal data on the dark web. The group targeted at least four four-star hotels in Italy, compromising the identities of approximately 90,000 guests who had submitted identification documents at check-in.

The breached properties include:

• Ca’ dei Conti in Venice (38,000 images stolen),

• Casa Dorita in Milano Marittima (2,300 documents),

• Regina Isabella on Ischia (30,000), and

• Hotel Continental in Trieste (17,000).

The stolen files include photographs from ID cards and passports, as well as driver’s licenses. Some materials are reportedly resold for between €800 and €10,000. Fraudsters exploit such identities to open bank accounts, apply for loans, and cash out—in a sharp spike of incidents reported between August 9 and 11, documents were advertised for sale on the dark web.

A Growing Global Threat in the Travel Sector

While Italy faces severe localized breaches, the travel industry continues to be hammered by cyberattacks worldwide.

• Qantas, Australia’s flagship carrier, disclosed a “significant” cyberattack after hackers breached a system containing sensitive data.

• In June, Center Parcs revealed that records of about 20,000 customers had been compromised.

• Aerticket, a major consolidator, also experienced a large-scale incident.

• British Airways suffered a 2018 breach affecting over 400,000 customers, culminating in a £20 million fine in 2020 after detection delays of more than two months.

• In May 2020, EasyJet announced that a cyberattack had impacted 9 million customers.

• WestJet confirmed that personal data linked to guest itineraries were unlawfully accessed during a June cybersecurity incident; no credit-card or password data was compromised. The airline worked with authorities and reinforced security controls.

• Voyageurs du Monde publicly refused to pay a ransom demanded following a 2023 breach.

Generative AI is amplifying the threat. AI-powered tools help cybercriminals craft more convincing phishing emails and translate them rapidly, tricking recipients into sharing credentials. Booking.com, which uses AI to detect fraud, blocked 60 million fraudulent emails containing malicious links in a single month. Cybercriminals have also cloned official museum and theme-park websites to peddle fake tickets.

Spain’s “Big Brother” Tourism Data Decree

Elsewhere in Europe, Spain has introduced sweeping new requirements that raise fresh privacy concerns. Since December 2023, Royal Decree 933/2021 obliges hotels, travel agencies, and car rental firms to collect and transmit massive volumes of guest data to domestic authorities every evening via a dedicated digital platform.

Reported requirements include:

• 13 core fields per guest, rising to 42 in hotels and more than 60 in car rentals.

• Details include full name, ID/passport number, phone, place of birth, family relationship links to co-travelers, payment method specifics, and travel patterns from the previous three years.

• Facilities that refuse face fines up to €30,000; travel agencies and tour operators may be fined up to €25,000.

• Travelers who decline to supply data may be denied hotel stays or vehicle rentals.

Spanish tourism professionals, represented by CEHAT (the Spanish Confederation of Hotels and Tourist Accommodations), have decried the measure as “completely illegal and disproportionate,” labeling it a “Big Brother” regime. ECTAA, the European travel agent trade association, warns the scope contravenes GDPR and risks exposing visitors to misuse or theft. CEHAT has filed suit against the Spanish state.

Madrid’s government counters that the decree is vital to combating terrorism and organized crime; authorities point to a pilot phase that allegedly helped identify 18,000 suspects. The debate underscores how deeply cyber risk and state-mandated data hunger now intersect for travelers.

Facing such risks—whether from brazen heists or intrusive state collection—travelers must become their own first line of defense, AgID stresses. Vigilance, skepticism toward unsolicited communications, and cautious document handling remain non-negotiable.