Hacked the Revenue Agency?


July 25, in Rome the temperature is always higher, and not just that of the weather! A few days ago the government fell, today it seems that it is the turn of the Revenue Agency. On social media, news, half rumors, denials are chased ... "The Agency has been hacked ..."

The Revenue Agency declares "With reference to the news that appeared on social media and picked up by some press about the alleged theft of data from the tax information system, the Revenue Agency specifies that it immediately requested feedback and clarifications from Sogei Spa, a fully owned public company by the Ministry of Economy and Finance, which manages the technological infrastructures of the financial administration and which is carrying out all the necessary checks ".

"Denied the news ..."

Sogei states that "There are no cyber attacks or data stolen from the platforms and technological infrastructures of the Financial Administration".

Who is right? As usual in Italy you don't understand anything!

Yet the best informed say they have seen the files of the file system, organized by user, with personal documents, identity cards, passports ... Is it possible that in 2022 there are still those who organize data in this way? Why not a database? 
But is it really data from the Revenue Agency?

But anyway, this is the situation:

Unfortunately, the worst must be assumed: that is, that LockBit has actually hacked the Agency and is in possession of the data. 

LockBit asks for a ransom, under penalty of publication of the data within five days. 

Now let's try to consider some possible courses of action: 

  1. The state decides not to pay the ransom. Simple, the consequences are already clear. The stolen data, it seems to be about 75 GB, will be made public, perhaps partly sold on the black market, with all the consequences of the case. Scams, impersonations, blackmail ... yes because it is the financial data of all the subjects (or part of them) that were in the DBs of the Revenue Agency. 
  2. The state decides to pay. The hackers are honest and after receiving their compensation, they return the stolen data and delete any copies created. Credible hypothesis? I would say very little. But now the omelette is done, the only thing to do is hope in their honesty. And if they were dishonest, then it would return to case one with the aggravating circumstance of having paid the ransom. 
  3. The state sets in motion all the structures created in recent years, activates all NIS directives, draws on countless regulatory standards and his best men to ...

Unfortunately I have run out of hypotheses, but the questions remain: 

  1. How could this happen? The rules stipulate that particularly sensitive data must be at least encrypted ... was our data? To see the screenshots published it would seem not.
  2. And now? Who pays for what happened? The technician at the bottom right or the data owner? Co-owners more likely, if the attack is confirmed, given that the co-responsible organizations could be different, the Agency first of all but also the Sogei company. Surely the Privacy Guarantor will have his say. Maybe you could even think of a class action .. but let's be serious, how could it end if not in tarallucci and wine?

Unfortunately, whatever one can say will not help bring things back to the moment before the accident. Yet sometimes one healthy prevention, correct information and training of personnel and the activities of bug bounty e pentesting they can help.

But you need to know what we're talking about ... and that's not always the case!

Alessandro Rugolo, Danilo Mancinone, Ugo Micci, Carlo Mauceli, Federica MR Levelli

To learn more: