On 14 January 2026, the Anubis collective published documents that allegedly demonstrate a data breach at the Port of Ancona.
The port of Ancona is part of the Central Adriatic Sea Port System Authority (AdSP). This AdSP includes: Ancona, Pesaro, Falconara Marittima, San Benedetto del Tronto, Pescara, Ortona and Vasto. The Port System Authorities are NIS2 subjects of high criticality and are also impacted by AgID Circular 2/2017 containing the Minimum ICT Security Measures for the Public Administration.
What happened
The Anubis collective has published some files stolen from the Ancona AdSP, among which there could also be documents relating to reports to the Ancona Harbour Master’s Office, reports of various kinds updated to 2025. Understanding the extent of the damage is difficult but, considering the material published by Anubis, the information assets stolen would be significant.
According to the collective, more than 56,000 files with over 8,000 folders were illicitly acquired. If this data breach turns out to be similar to the others, it would be plausible that among the stolen files could also be those intended to contain credentials for access to systems and services, which would entail a breach of the most basic security measures, together with a general aggravation of the consequences of the attack.
In similar data breaches, in fact, credentials were stolen for social accounts, for accessing institutional platforms, for accessing web portals, all information incorrectly held within text files (.txt), Word files (.docx), Excel files (.xlsx).
At 00:49 on 15/01/2026 there was no information on the home page about the incident in the “News” section. While waiting for developments, it is worth considering that the activities carried out by the AdSP are many and among these, as mentioned above, there are also the safety inspection activities carried out by the Port, which are carried out through the writing of inspection reports and the collection of multimedia material (mainly images and videos).
Who is Anubis
According to the Ransomfeed portal, the Anubis collective has carried out 43 offensives between 2025 (40) and 2026 (3) and this would appear to be the first in Italy. The group has claimed victims mainly in the United States, but also in Spain, Australia, Great Britain, Canada, and Germany, including logistics organisations (Den Hartogh Logistics), healthcare facilities (Olive Branch Family Medical Center), and public administrations.
Elements of attention
In the writer’s opinion, the attack on the AdSP of the Port of Ancona presents some unclear information:
- It is not clear whether credentials were exposed among the stolen files. If this were the case, it would constitute a violation of what is prescribed by NIS2 on the subject of the proper holding of such data, a violation of AgID Circular 2/2017. In particular, safeguard 5.11.1“Store administrative credentials in a manner that ensures their availability and confidentiality.”
- The phrase ‘the same data affected by the IT security incident in March 2024’ is not clear, because if they were the same, it would not explain the exfiltration of documents with dates after 2024.
- The incorrect application of the authentication mechanisms and the failure to apply the MFA would constitute a non-compliance with Legislative Decree 138/2024, art.24 c.2 letter i)“security and reliability of personnel, access control policies and management of assets and assets” and especially with letter l)“use of multi-factor authentication solutions or continuous authentication, secure voice, video and text communication, and secure emergency communication systems by the subject internally, where appropriate“. It should also be noted that the lack of MFA activation on administrative users is a non-compliance that the Garante per la Protezione dei Dati Personali has included in several orders in the past. One of these is the famous provision of 28 September 2023 No. 426 in which it was noted that ‘Specifically, at the time of the violation, the computer authentication procedures used in the context of VPN access and workstations did not provide for the use of the double authentication factor, while the password policy did not include a differentiation between users with administrative privileges and users without administrative privileges’.
- It is unclear whether the port employees were notified late, as explained in the update of 18/01/2026 and reported by Corriere Adriatico. If this were the case, it would have violated the regulations that call for timely communication to those affected. However, the official communiqué makes no mention of this delay.
From the files stolen and published by Anubis, there would also be identity documents, which the newspapers took a look at and reported in their articles. It remains to be understood, therefore, how responsible the port’s data holdings are, also in relation to the legislation in force since 2017 on computer security. If it had been disregarded (e.g. by storing credential files in an inadequate manner), there would be grounds for the detection of non-compliance, even of a serious level.
Conclusions
In conclusion, despite the fact that the communiqué published on the Internet by the Port of Ancona reasonably aims to mitigate the effects of the cyber incident with phrases such as‘The attack, recently claimed, managed to steal only 2% of the information‘, there are still some points to be clarified that could also indicate the neglect of IT security rules in place since 31/12/2017.
Update of 18/01/2026
An article in the Corriere Adriatico by Federica Serfilippi reports that the cyber attack allegedly took place in December and that the port’s employees were warned extremely late.
In the circular issued to staff on 8 January and to the regional trade unions Cgil, Cisl and Uil, the Authority explained the computer attack suffered on 11 December and claimed only at the beginning of this week by the Anubis collective. The raid on the authority’s computer system allowed hackers to get their hands on 56,000 files, many of which ended up on the network and containing sensitive data.
Update of 16/01/2026
09:00 – The Port of Ancona portal does not currently have an announcement/notice on the incident. Yesterday, 15/01/2026, at around 17:10, the portal was updated with the news ‘Port of Ancona: structural adjustment of quay 23 underway’.
16:46 – The web portal of the Port of Ancona publishes a news about the computer incident that occurred. The text of the communiqué reads as follows.
In connection with the cyber attack that took place on 11 December 2025, the Central Adriatic Sea Port Authority took immediate action to protect the data in its possession. The attack, which was recently claimed, managed to steal only 2 per cent of the information.
The Adsp has taken all the appropriate technical and organisational measures to manage the issue, with the support of the DPO, the Data Protection Officer, in addition to carrying out the administrative activities required by the legislation, including complaints and notifications to the competent bodies (Postal Police and the Data Protection Authority).
All cybersecurity measures were taken to counter cyber attacks, which, as is well known, are unfortunately becoming increasingly frequent and widespread. Trade union representatives and Adsp staff were also informed of the incident in good time.
The attack occurred during the migration of the Port System Authority’s data to the Psn-Polo strategico nazionale, the infrastructure to guarantee security and technological autonomy on strategic assets for the country. From the report on the cyber attack, it emerges that the technical and organisational security measures adopted were able to limit the negative effects of the event and that, by continuing to activate all the devices, software and activities already planned, these events can be further reduced and made less impactful.
The Adsp received a communication on 14 January from the Agenzia per l’Italia Digitale informing it that the cyber attack, already known to the Authority, had been carried out by the cybercriminal group Anubis. Following the Agid communication, the Port Authority’s Cyber Working Group drew up, as required by law, an information notice that was published today on the Authority’s notice board: https://porto-ancona.trasparenza-valutazione-merito.it/web/trasparenza/dettaglio-albo-pretorio?p_p_id=jcitygovmenutrasversaleleftcolumn_WAR_jcitygovalbiportlet&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=1&_jcitygovmenutrasversaleleftcolumn_WAR_jcitygovalbiportlet_current-page-parent=0&_jcitygovmenutrasversaleleftcolumn_WAR_jcitygovalbiportlet_current-page=2489
Regarding the above-mentioned notice, which can also be found at this address, it is interesting to read its contents, in particular the part that dimensions the accident.
The malicious user exfiltrated a small subset, 36GB out of a total of 2250GB, of the same data affected by the computer security incident in March 2024.
On this aspect, however, there is a detail that is not very clear: the Port claims that the same data were exfiltrated as those affected by the IT security incident that occurred in March 2024, but Anubis published data with a date of 2025 (e.g. the table of inspections carried out). Corriere Adriatico also mentions this in an article by journalist Antonino Pio Guerra:
Suffice it to say that among the documents published by Anubis is the updated report on the large ship quay project at the Clementino quay in October 2025.
Another interesting aspect would be to find out whether there were mismanaged credentials among the stolen files, which would pose the risk of increased attack consequences. In this respect, the Corriere Adriatico journalist shows his doubts:
Doubts also arose about the tightness of the systems: an Excel file on the Pnrr with the explicit title: ‘Platform Access Passwords’ was disclosed.
