Nearly 100,000 identification documents have been stolen from Italian hotels and are being sold on the dark web, the Agency for Digital Italy (AgID) has warned. The hotel data breach could have serious consequences for those affected.
The Agency said scans of passports, ID cards, and other documents collected during hotel check-ins have been compromised. The attack, detected by AgID’s cybersecurity unit CERT-AgID, is one of the largest data breaches affecting Italy’s tourism sector.
The hacker, using the alias “mydocs,” claims to have accessed hotel computer systems without authorisation between June and August 2025. Ten hotels across Italy have confirmed breaches, though authorities believe more cases may surface in the coming days.
AgID reported that the hacker has posted multiple listings in recent days. On August 8, 17,000 stolen identity documents were offered for sale. On August 9 and 10, a further 70,000 documents appeared online, allegedly from four more hotels. Finally, on August 12, an additional 3,600 documents were advertised, bringing the total to nearly 100,000.
The agency said the consequences for victims could be “serious, both economically and legally.” Stolen identification data can be exploited to create fake documents, open fraudulent bank accounts, and carry out digital identity theft.
AgID has issued a circular to trust service providers, including those managing SPID and digital signatures, urging heightened checks during document verification.
The agency also advised citizens to monitor their accounts closely, watch for credit applications or unauthorised activity, and report any suspected abuse immediately.
Cyberattacks targeting hotels and booking platforms have increased in recent years, exploiting the large volumes of personal data collected from international travellers. With Italy welcoming millions of tourists each year, authorities warn the sector remains a prime target.
Investigations into the hotel data breach are ongoing.
