On 31 July 2025, the data breach against the well-known company ACEA S.p.A. was published by the World Leaks group. The published data are many and would amount to some 2.6 TB.
It would be repetitive to explain that this also involves credential files in Excel and Word format, as well as abandoned mail archives in the file system. The real problem with this data breach is another: the data breach allegedly exposed files that would allow access to and alteration of the operation of technical installations including steam turbines. Manuals, files, access credentials to management and monitoring systems of these plants were exposed. Basically, exactly everything that the NIS2 directive seeks to avoid happened, showing how much companies (even large ones) underestimated the impact of a data breach and the European directive itself.
General considerations
It is pointless to dwell on the technical aspects of this data breach: ACEA S.p.A. suffered the same damage as XYZ S.r.l.. Exposed files, exposed passwords, exposed user management and all the rest. The reflection to be made must be another: the data breach is part, for the umpteenth time, of a truly horrifying scenario in which large companies in the country show complete indifference to the issue of cybersecurity, if not for institutional communications or to generate profit. A serious company, which intends to have a respectable cybersecurity management, does not hold access credentials in Word files. It does not hold access credentials to strategically relevant installations in an Excel file.
Reality versus finality
In the face of this havoc (because that is what we can talk about), it is good to remember that Italy presented ACN by talking about the ‘good father strategy’ of which, clearly, these are the results. A relentless sequence of databreaks, with related file exposures, shows how underestimated, misunderstood and culpably ignored computer security has been. In a historical and geopolitical context that places Italy within a very complicated scenario, our major companies demonstrate that they have understood little or nothing about what computer security is, to the detriment of the security and integrity of information that could one day mark a risk for some or many.
