Depot Napoli: data breach

There was a data breach against an adult-only club in the city of Naples, which was claimed by one of the most notorious cybercriminal collectives.

What happened

n 15 January 2026, the LockBit collective uploaded on its portal the claim of an attack against the fetish club Depot Napoli. Depot Napoli is a ‘fetish cruising bar’ based in Naples that organises events as well as club membership as an ASI (Associazioni Sportive Sociali Italiane) affiliate.

The effects of a possible data breach could be highly impactful given that this is an entity that processes personal data belonging to the sexual sphere of individuals and therefore special personal data. In particular, if a data breach were to be confirmed, it would concern the category ‘Data relating to sexual life or sexual orientation’ on the notification form (section 12 p).

It should be made clear that at the time of writing this article (20/01/2026 at approx. 12:40 a.m.), the LockBit colelective has not released any demo files (so-called samples), the release date of the exfiltrated files being 30 January 2026 at 11:02:07 UTC.

This is also in the light of what has been written above, namely that Depot Napoli allows the membership of its members and this process is carried out through the Asso Facile management software. By clicking on the dedicated membership link on the Depot Napoli portal, one is redirected to a dedicated form in the assofacile.it domain and to be exact:

https://gestionale.assofacile.it/calendario/depotnapoli/iscriviti

What data are required from registered users

Among the data required in the membership procedure are the following:

1. Basic Data
   1. Name
   2. Surname
2. Residency Data
   1. Address
   2. Region
   3. Municipality
   4. C.A.P.
3. Domicile/shipping address (if different from residence)
   1. Header (at)
   2. Address
   3. Region
   4. Municipality
   5. C.A.P.
4. Date of birth
   1. Date
   2. Region of birth
   3. Municipality of birth
   4. C.A.P.
5. Sex
6. Tax code
7. Phone
8. Mobile phone
9. Document type
10. Document number
11. Document issued by
12. Document issue date
13. Document expiry date
14. Ordinary email
15. Email PEC
16. Document attachment

Notices and official news

There are currently no announcements on the club’s website. No announcement has been made on the club’s Facebook page either, the latest post of which is stuck at 12 January 17:20.

It is therefore not possible to know whether the attack was confirmed by Depot Napoli and whether the members were correctly alerted according to the regulations.

Points of attention and possible consequences of the data breach

Certainly, the easiest to imagine would be the loss of confidentiality with impacts that have yet to be determined. Certainly, the main cases envisaged by the Garante would arise, namely:

• Disclosure of data outside the scope of the information notice or the relevant regulations.
• Possibility of using the data for purposes other than those intended or in an unlawful manner.

Among the most relevant impacts would undoubtedly be the loss of control over personal data together with discrimination, damage to reputation and knowledge by unauthorised third parties. In this regard, it is worth pointing out that the Depot Napoli portal does not display any information on its home page, not even a privacy policy despite the presence of a contact form, and not even a cookie policy despite the fact that the site implements Google Analytics among its cookies.

The contact form, as shown in the photo, does not contain any personal data processing clause to be accepted, nor any further information that would clarify how this data is processed.

These include Google Adsense’s ‘_gcl_au’ for conversion tracking, for more information check here but especially here.

A privacy policy, on the other hand, is included in the membership form, which, however, would have serious discrepancies. The PDF file, in fact, would have been obtained from an export of the Pixelmator Pro 2.1.3 programme (a graphics programme for the Apple environment) with such a poor resolution that it is not clearly readable. One result could already be seen from the screenshot shown here

One can note (with some difficulty) the sentence‘The Data Protection Officer (DPO) appointed by the Association is the person to whom each data subject can write in relation to the data processing carried out by the Association and in relation to his or her rights‘; to be fair to readers, a direct link to the file is given:

Please note that the file can be identified by the following hash code:

MD5	dc99ca6a145f27de7b8ed696f0524cbc
SHA 512	b3aaeeba79ee224d654ea21112a47ce63b7d48d261c91ae38a610d4420586d4d57c07b7e409d761514388e2da82893cae86aa59b82e45bcde8c276d36dbe135f

Chronology of events

15/01/2026 - Lockbit publishes the claim.
28/01/2026 - Lockbit publishes some files stolen from Depot Napoli.
30/01/2026 - Date declared by the LockBit collective for the publication of the files.

---

Updates

30/01/2026 – Data publication date

30 January was the date Lockbit had chosen to publish the data stolen at Depot Napoli, and in the meantime, the club’s web portal has not published any announcement about the incident. The stolen documents could therefore mostly concern the running of the club and the management of the staff, but the exposure of the data of any members belonging to the club may remain an unknown.

28/01/2026 – Example files published

LockBit has published some examples of the stolen files(samples) apparently of little value and among other things with censorship in the presence of names. It is therefore unclear what information assets are really in the hands of the collective.