Italian rail operator Trenitalia has informed customers of a cybersecurity incident that has exposed a significant amount of personal data, including names, contact details and loyalty card numbers, according to media reports.
The state-owned rail operator sent an email to "potentially affected" customers on 26 June notifying them of the data breach.
In its communication to customers, Trenitalia said cybercriminals may have gained access to personal information including customers' names, surnames, dates of birth and addresses, as well as email addresses, phone numbers, travel details, loyalty card numbers, professional information and ID details, according to reports.
However, payment data and account login credentials were not compromised, Trenitalia confirmed in its email.
The rail company has reportedly notified the Italian Data Protection Authority and Italy's national Computer Security Incident Response Team (CSIRT) of the cybersecurity incident, however the hackers remain unidentified. Trenitalia has also reportedly filed a complaint with the Rome Public Prosecutor's Office, but has not yet released a public statement in response to the cyber attack.
Reports indicate the breach was first detected in October 2025, potentially exposing customers’ personal data on the dark web for months. It remains unclear whether or how the stolen data has been used.
Under Italian law, organisations must notify the relevant authorities, including the Data Protection Authority, within 72 hours of becoming aware of a personal data breach.
In its 26 July communication to customers, Trenitalia said: “In order to accurately identify the individuals who were potentially affected, our IT teams had to carry out extensive technical and security analyses. These investigations took time because they involved reconstructing, in detail, any unauthorised access to the data. Only after these activities were completed were we able to identify the affected customers and send this notification."
The travel industry continues to be a frequent target for hackers and cybercriminals. Over the past year, travel suppliers and airports have experienced numerous high-profile breaches. Last November, a third-party vendor for Spain-based Iberia Airlines exposed customer data, and in September several major European airports experienced disruptions after a cyber attack against a provider of check-in and boarding systems. This followed a June breach at Qantas that compromised approximately 6 million records, including contact details and frequent flyer numbers.
Read more in BTN’s Travel Risk Outlook 2026: Cyber crime is on the rise