The Municipality of Pisa was subject to a data breach by the NOVA collective. Let us try to understand what happened and the consequences of this action.
What happened
On 10 May 2025, the NOVA collective published a post making a claim against the Municipality of Pisa. The post published by the collective also states the following:
we take 2TB this will be part 1, part we will leak everything contact us soon: ext : PDFs, OUTLOOKs, DB, XLSX, PNG, JPG, TXT, sources (configs)
gov documents, payments databases, secret plans, softwares codes, emails templates contents, costumers information, gmails, phones, invoices, Workers informations, peoples IDs, hospitals docs etc.
note (admin will face readme follow it we know you have money, you have 15 days, make sure that we put 50000 payload worms, and C2 if you deasn’t pay your choice, 2TB encrypted, bitdefender and endpoints, will not help you against Nova, ransom payment will be pizza and some dollars )
The hackers claim to have stolen a total of 2Tb from the municipality and that this first claim will only contain the first 100 Gb.
About NOVA
To find out more about the NOVA group, it is good to rely on some sources on the Internet. Let us say in advance that NOVA distributes their ransomware (raLord) written in rust and extensively analysed by Sonicwall in an interesting article.
The group is relatively new and made itself known for declaring that it would not attack schools and non-profit companies. Statements such as these have already been made in the past by hacker groups that subsequently betrayed this moral obligation, so there is no reason to believe that NOVA cannot do the same.
The impact on the municipality
The municipality of Pisa is located in the region of Tuscany and is famous and well-known for its countless historical and artistic attractions, including the well-known Tower of Pisa. The municipality would have reached 89,456 inhabitants in February 2025, according to ISTAT’s demographic balance.
The NIS2 issue
Many claimed that, as a public administration, the Municipality of Pisa should have been covered by the requirements of the NIS 2 Directive (Legislative Decree 138/2024). The problem with this statement is that Annex III point c) of the Legislative Decree states that the public administrations involved in NIS2 include:
1) Metropolitan cities;
2) Municipalities with a population over 100,000 inhabitants;
3) The regional capital municipalities.
4) The Local Health Authorities.
The municipality of Pisa does not automatically fall into any of these four cases. It is not a metropolitan city, it has no population over 100,000 inhabitants, it is not a regional capital (it is Florence) and it is not a local health authority.
The impact
Regardless of NIS2, however, an attack on a municipality is undoubtedly a serious matter, as municipalities possess heterogeneous data, including data in particular categories (e.g. health data) that are necessary for the completion of various practices for citizens. In the past, when other municipalities were attacked, the exfiltration of data contained in offices such as ‘Social Affairs’ or ‘Municipal Police’ was particularly significant. For more details on the impact, we recommend reading these two articles:
Data breach: focus on recovery
Taggia Municipality: data breach
For the Municipality of Pisa, it will therefore be necessary to ascertain whether data of this nature have been exfiltrated, on the assumption that the files published by NOVA may not include recently published documents (but this is only a first part). There is also the fear that the municipality’s files may contain unencrypted passwords within documents: this has already happened in the past with other municipalities that stored credentials in files unsuitable for containing such information. A very common example may be the classic ‘password.txt’ or ‘password.doc’ file, but also files of a different type. Files intended to contain an ‘order form’, for instance, often contain confidential credentials needed to access procurement platforms. In those cases one is faced with information such as: username, password, voucher code, company/organisation identifier.
All this together with the instructions for redeeming the voucher and thus all the minutely described procedures that an attacker could use without any problem.
The Municipality’s communication
Another striking thing is the ‘silence’ on the part of the Municipality of Pisa on its official portal:
- News
- Press releases
- Notices
But in none of the three sections were references to the data breach suffered by the municipality found. Below are screenshots of the sections of the site as of 21/05/2025 at approximately 11:00 a.m.
It is good to remember what the GDPR (EU Reg. 2016/679) provides for these cases: article 34 ‘Notification of a personal data breach to the data subject’ in paragraph 1 reads:
Where a personal data breach is likely to present a high risk for the rights and freedoms of natural persons, the controller shall notify the data subject of the breach without undue delay
Communication, however, is not always compulsory and the Regulation itself provides in paragraph 3 that:
The communication to the data subject referred to in paragraph 1 is not required if one of the following conditions is fulfilled:
(a) the controller had implemented appropriate technical and organisational protection measures and those measures had been applied to the personal data subject to the breach, in particular those intended to render the personal data unintelligible to any person not authorised to access them, such as encryption;
(b) the controller has subsequently taken appropriate measures to prevent the occurrence of a high risk for the rights and freedoms of the data subjects referred to in paragraph 1;
(c) such communication would require disproportionate efforts. In that case, public notice or a similar measure shall be used instead, by which the persons concerned are informed with similar effectiveness.
Conclusions
Pending the release of the files, which may contain more relevant data than those currently published in the sample file, it should be borne in mind that an attack on a public structure is always very delicate: whether it is a small municipality or a local health authority, the data are always of considerable importance.
Updates
23/05/2025 – Parliamentary interpellation
PD representative Ylenia Zambito has tabled a parliamentary question to investigate what happened in the Municipality of Pisa and to know:
whether the Government is aware of the cyber attack suffered by the Municipality of Pisa and what information has been acquired concerning the extent and nature of the data exfiltrated, and whether the competent authorities, such as the National Cybersecurity Agency and the Personal Data Protection Authority, have been involved in order to assess the impact of the attack and coordinate the response actions’. The parliamentary act also asks whether the government intends to disclose how many local administrations have so far been subjected to ransomware attacks with exfiltration of sensitive data, and how much ransom has been paid for the return of the data. […] In addition, it is especially necessary to know what cybersecurity measures have been taken to date to effectively protect sensitive data held by local administrations, what further urgent initiatives it intends to promote to strengthen the cybersecurity of local public administrations, in particular through training programmes, technological upgrading and the implementation of advanced defence systems, and to avoid repercussions on public finances and local administration budgets due to ransom payments resulting from the exfiltration of data by cybercriminal groups
This is not the first time that a parliamentary interpellation has been requested following a cyber attack; in 2022, following a cyber attack against the Torre del Greco municipality, a member of the 5 Star Movement made a parliamentary interpellation.
22/05/2025 – Some statements by the CUB
On 21/05/2025, the CUB (Confederazione Unitaria di Base), issued the following statements on its website, which were also reported in the daily newspaper ‘Il Tirreno, cronaca di Pisa’.
“In recent days we had intervened to solicit answers and information that arrived late and in very general terms. As a matter of fact, what we learn from the city press is the picture of an organisation that has become accustomed to resorting to the media to glorify its own fortunes and actions, but instead is very hesitant to speak out when the context does not favour the self-praise of the Council. What happened to the Municipality of Pisa has already happened to other public administration bodies, computer hacking is widespread and represents a problem that needs to be tackled with a qualitative leap that immediately takes the form of adequate staffing, efficient and modern working tools, and constant training. As trade unions and employees of the municipality of Pisa, we were not informed of the theft of employee data, everything was played down since the image of the authority and its administrators could not build narratives and celebrations on this issue. As a result, an attack, which is now commonplace, on a PA body turns into a kind of farce and instead of addressing the problems, in order to solve them, without looking for scapegoats but instead searching for the flaws in a system to protect the general interest, they prefer inadequate and belated communication and treating employees like subjects required to blind obedience while at the same time reminding them of the rules for using IT tools, as if the problem had arisen from staff carelessness and not from some flaw in the system. The time of believing, obeying and fighting would be over, but the conditional is obligatory, and our organisation is being called upon to make a qualitative leap that also requires adequate personnel policies of which we see no trace. And for this, the citizens and staff must be held accountable.”
CUB MUNICIPALITY PISA
Particularly relevant is the sentence‘As unions and employees of the municipality of Pisa, we were not informed of the theft of employee data, everything was played down since the image of the authority and its administrators could not build narratives and celebrations on this issue‘.
