Tourist identity documents of approximately 100,000 individuals, according to 'MyDox', have been illicitly obtained from Italian hotels.
Large-Scale Identity Document Breach Affects Ten Italian Hotels
A significant data breach has been confirmed in Italy, with ten hotels affected and tens of thousands of tourists' identity documents stolen electronically from hotel servers. The stolen identity documents, consisting of high-resolution scans of passports, ID cards, and other sensitive identity data, have been put up for sale on the dark web.
The Italian Digital Authority (AgID) is leading the investigation into the breach, which occurred between June and August 2025. The agency has not disclosed any information about any arrests or suspects but has stated that the stolen identity documents could be used for fraudulent activities such as forging documents, opening bank accounts, or impersonating digital identities.
The perpetrator, known as "MyDox," claimed to have obtained the data through unauthorized access to information systems during the mentioned period. The stolen files are estimated to number around 100,000.
In response to the breach, AgID has urged affected individuals to take precautions to protect their personal information. Key recommended actions include monitoring financial accounts and credit reports closely, being vigilant against social engineering and phishing attacks, and placing fraud alerts or credit freezes with credit bureaus.
Individuals are also advised to contact the hotels at which they stayed during the affected period to inquire about the breach status and follow their recommended protective measures. In addition, they should report suspicious activities to local authorities and keep records of communications with the hotels and law enforcement for support in case of future identity fraud issues.
To further secure personal and financial information, individuals are encouraged to change passwords and enable multi-factor authentication on accounts linked to their identity documents, especially digital identity services like SPID in Italy that were cited in a related breach.
Authorities, including AgID and the Data Protection Authority (Garante), are urging hotels to secure their systems and promptly notify affected guests. The Italian Digital Authority's investigation is ongoing, and no further details about the precautions for affected individuals or the progress of the investigation have been provided. However, the agency has not ruled out further cases emerging in the coming days.
Staying alert for signs of misuse, working with hotels and authorities, and taking proactive steps to secure your personal and financial information are essential steps to mitigate damage after this large-scale identity document breach in Italian hotels in 2025.
