This summer was characterised by a number of quite interesting data breaches, including those against some Italian hotels.
What happened
Since 5 August, some 160,000 Italian and foreign identity documents have been published. The offer for sale was posted on a well-known forum specialising in the sale of data leaks, and the seller (named Mydocs) stated that these data had been acquired recently (in June, July and August). Various accommodation facilities are involved: from Milan to Ischia, via Venice. At the beginning of August, Wired had published an interesting article by Chiara Crescenzi‘Italian hotels, thousands of stolen identity documents for sale on the dark web‘. The article explained that CERT-AGID had found data stolen from hotels on the dark web and, among this data, were identity documents. The amount of information sold was in the tens of thousands.
A few hours after the first ad, then, user mydocs shared a second in which he announced the sale of 2,300 high-resolution images of the identity documents of guests of Casa Dorita, an Italian hotel that was hacked in June 2025. And then a third, in which he announced the sale of a batch of no less than 30,000 scans of passports and other identity documents of national and international guests of the Hotel Regina Isabella, a luxury resort in Ischia. Finally, as if this were not enough, the threat actor claimed an attack on the Spanish five-star resort Hills Boutique Mallorca, announcing the sale of more than 6,000 images of documents stolen from the resort’s computer systems.
Unfortunately, this is nothing new: identity documents are one of the worst processed document types, and this is essentially due to the poor culture of those who have to handle the documents, as well as the lack of suitable tools to carry out the processing.
The document is often scanned and saved in a normal computer folder or, even worse, sent via Whatsapp and kept in the gallery of the B&B owner’s mobile phone. As the reader will know, there is a circular of the Ministry of the Interior requiring de visu recognition of guests, but this does not exhaust the issue. Scanning via mobile phone, ‘quick’ storage in folders, are convenient and often inadequate solutions.
Aspects of detail
The Mydocs user, as of the current date (13 August 2025), has approximately 160,000 Italian and international citizens for sale from the following facilities:
| Structure name | Region | Location | Number of documents | Publication date | Declared acquisition | Asking price |
|---|---|---|---|---|---|---|
| Hotel Borghese Contemporary | Lazio | Rome | 7.600 | 13/08/25 23:35 | August 2025 | 2.000 |
| Hotel Rocca | Lazio | Cassino | 1.700 | 13/08/25 23:10 | August 2025 | 500 |
| Ercolini and Savi Hotels | Tuscany | Montecatini Terme | 3.600 | 13/08/25 01:36 | August 2025 | 1.000 |
| Hotel Mediolanum | Lombardy | Milan | 22.200 | 10/08/25 22:25 | August 2025 | 10.000 |
| Hotel Sanpi Milan | Lombardy | Milan | 5.600 | 10/08/25 22:15 | August 2025 | 3.000 |
| Savoia Resort | Piedmont | Bardonecchia | 22.100 | 10/08/25 21:11 | August 2025 | 10.000 |
| Astoria Suite Hotel | Emilia-Romagna | Rimini | 20.800 | 09/08/25 22:39 | July 2025 | 10.000 |
| Continental Hotel | Friuli-Venezia Giulia | Trieste | 17.000 | 08/08/25 12:48 | July 2025 | 8.000 |
| Hotel Ca’ dei Conti | Veneto | Venice | 38.000 | 06/08/25 17:20 | July 2025 | 20.000 |
| Hotel Casa Dorita | Lombardy | Milano Marittima | 2.300 | 06/08/25 16:55 | June 2025 | 800 |
| Hotel Regina Isabella | Campania | Ischia | 30.000 | 05/08/25 18:39 | N.A. | 14.000 |
| 170.900 | 79.300 |
Furthermore, the user states that all identity cards were illicitly taken in August 2025 as shown in the example below.
Regulations and identity documents
There is a lot of confusion on this point and to try to unravel the skein, it is good to make some distinctions right away: one must distinguish the booking phase from the stay phase. The former serves to book accommodation in an accommodation facility (be it a room or a flat), while the latter serves to take actual possession of it for the period envisaged in the booking.
In order to make a reservation, the user enters into a contract with the accommodation facility, which consequently needs official documents to finalise the reservation. These documents are identity documents. Some establishments postpone the request for identity documents until the last possible moment, but sooner or later they will still be required to complete the check-in.
In order to actually enjoy the stay, the manager must actually verify the identity of the applicant. If he did not do so, he could have any person claiming to be someone else in front of him and he would have to take that claim at face value. In order to make this comparison, the manager compares the picture on the identity document with the face of the person in front of him. In this regard, it is good to know that a hotel requires an identity document pursuant to Article 109 of the Testo Unico delle Leggi di Pubblica Sicurezza (TULPS). The request is necessary because, for reasons of public security, an authority may ask the hotel for the details of the person who stayed at the hotel during that period. The article, which can be consulted here, says in paragraph 1:
Managers of hotels and other accommodation establishments, including those providing accommodation in tents, caravans, as well as owners or managers of holiday homes and flats and room rentals, including managers of non-conventional accommodation facilities, with the exception of mountain refuges included in a special list established by the region or autonomous province, may only provide accommodation to persons holding an identity card or other suitable document certifying their identity in accordance with the regulations in force.
The same rule, in paragraph 3, adds:
Within the twenty-four hours following their arrival, the persons referred to in paragraph 1 shall communicate to the competent territorial police headquarters, by computer or telematic means or by fax, the particulars of the persons accommodated, in accordance with the modalities established by decree of the Minister of the Interior, after consulting the Guarantor for the protection of personal data
Thus, the TULPS clarifies ‘why’ and ‘what’ accommodation managers must do, but there is also the problem of short rentals, which the famous Circular of the Ministry of the Interior obliges the de visu identification of persons who have made the booking. In the same it reads:
In the light of the intensification of the phenomenon of so-called “short-term rentals” throughout the country, linked to the numerous political, cultural and religious events planned in the country, also in view of the celebrations of the Jubilee of the Catholic Church planned for the city of Rome from 24 December 2024 and taking into account the evolution of the difficult international situation, there emerges the need to implement stringent measures aimed at preventing risks to public order and safety in relation to the possible housing of dangerous persons and/or linked to criminal or terrorist organizations. […] Therefore, it is confirmed that the managers of accommodation facilities are required to verify the identity of guests, communicating it to the Police Headquarters exclusively in accordance with the procedures indicated in the Decree of the Minister of the Interior dated 7 January 2013, on “Provisions concerning the communication to the public security authorities of the arrival of persons accommodated in accommodation facilities”, as amended by the Decree of the Minister of the Interior dated 16 September 2021.
The acquisition of the identity document, therefore, has several purposes that are not only related to the ordinary management of the accommodation but are also necessary for communicating with the local police forces.
The Data Protection Supervisor’s response
On 13 August 2025, the Garante per la Protezione dei Dati Personali published a note which is reproduced in full (you can click on it to read it).
Conclusions
One must be cautious with conclusions. The problem of accommodation is a complex one and there are no simple solutions to complex problems. Before pointing the finger at the accommodation facilities involved, certain aspects need to be investigated.
Current legislation (starting with the GDPR) obliges me to equip myself with all the methodological, cultural and technological tools to ensure that the processing of personal data is secure and compliant. If I cannot fulfil this requirement, the processing cannot even begin! This is good to remember.
However, it is also possible that the damage is caused by employees who are not zealous or even involved in actions related to the sale of such data to the Mydocs user. In such a case, one would be talking about sabotage, and this activity may not have been noticed by the accommodation facility. What we are trying to explain is that perfection does not exist and can certainly not be demanded: if there was any negligence of a methodological/technical nature, it will certainly have to be ascertained, but the scenario is very complex and requires a certain amount of caution in order to avoid falling into error.
Technically, there are methods for securing file transfers and holding files, as well as for certifying the identity of persons, but the cases that could arise are so varied that the aforementioned caution is a must, just as it is a must to bear in mind that infallibility and zero risk do not exist.
