Cyber attack notice
GNV has been the victim of a cyber-attack
Genoa, 23 September 2019 – GNV reports that it has been the victim of a sophisticated cyber-attack that has led to a breach of confidentiality regarding the personal information of a number of passengers, credit card holders and persons in whose name reservations were made, who purchased tickets on the company website. Enquiries carried out with the support of independent professionals have ascertained that a cyber-attack took place in the period from 25 June to 18 July 2019.
Following reports of suspicious transactions from a number of payment circuits, detailed and in-depth enquiries were promptly set up regarding the dynamics of the attack. The results of the enquiries highlighted unauthorised access carried out by unidentified persons to certain personal information and, in some cases, to data regarding credit cards used for transactions on the website.
GNV informed the Italian Data Protection Authority of the breach and also immediately implemented measures to respond to the breach and prevent a similar attack from taking place in the future.
GNV deeply regrets the cyber-attack, but above all the potential inconvenience that this attack may cause. The protection and the security of the privacy of those using GNV services is in fact a crucial element in the Company’s business culture.
In this light, GNV is evaluating the appropriate legal action to take against the persons responsible.
- What happened and when?
We have been the target of a sophisticated cyber-attack. Enquiries carried out have revealed that there has been a breach of confidentiality concerning the personal data of a number of our passengers and credit card holders who purchased tickets via the website www.gnv.it in the period from 25 June to 18 July 2019.
- What personal data has been involved in the attack?
Identification data, personal data, contact data and credit card details used to purchase tickets from the website www.gnv.it.
- How could this happen; didn’t you have suitable security measures?
Yes, but the perpetrators used particularly sophisticated techniques in the attack that were capable of penetrating the most elevated levels of security.
- What do I need to do?
For your protection, we recommend you contact the institution that issued the credit card or debit card used to purchase tickets on the website www.gnv.it in order to inform them of the situation, check any suspicious transactions and assess all possible further protective measures to apply.
- How did you discover the attack?
Following reports of suspicious transactions from a number of payment circuits, precise and in-depth enquiries were promptly set up regarding the complex dynamics of the attack.
- Why are you only contacting me now?
It was a sophisticated cyber-attack, and the enquiries necessary in order to ascertain what happened have taken time, as they were particularly detailed and in-depth.
- Who has had access to my data?
Unidentified and unauthorised persons.
- What action have you taken?
We have informed the Italian Data Protection Authority of the violation. Furthermore, in order to resolve the incident and prevent similar events from taking place in the future, the company has identified and substituted the instruments that were the subject of the sophisticated attack and have consequently adapted the systems of continuous monitoring and protection of security. We are also in contact with the credit institutions in order that they may assess the implementation of further measures for your protection.
Detailed and in-depth enquiries have promptly been set up with regards to the dynamics of the attack, in order to:
• understand the extent of the breach of security and the nature of the data violated;
• duly implement suitable technical, operative and organisational measures aimed at mitigating any potential negative effects for our customers;
• block all possible further episodes of illicit access to personal data by unauthorised subjects;
• assess the risks and the impact that the security breach may have for the persons involved;
• identify further measures to limit the possibility that such events may take place in the future.
- Can I purchase tickets from alternative sources?
- If I purchased tickets via channels other than the website www.gnv.it, am I in any case involved in the breach?
No, because the situation in question regards exclusively personal information regarding passengers, credit card holders and persons in whose name reservations have been made, who purchased tickets via the website www.gnv.it in the period from 25 June to 18 July 2019.
- I have not received any email/notification regarding this event even though I purchased a ticket in the period from 25 June to 18 July 2019. Am I involved in the breach?
The event in question involved the personal information regarding passengers, credit card holders and persons in whose name reservations have been made, who purchased tickets via the website www.gnv.it in the period between 25 June and 18 July 2019. If you belong to one of the aforementioned categories, then you have certainly been involved in the breach.
- Is the ticket that I purchased on the website www.gnv.it in the period between 25 June and 18 July 2019 still valid?
Your ticket is still valid.
- Do I have to block my credit card?
We suggest you contact the issuer of your payment card to inform them of the situation, check any suspicious transactions and assess all further preventative measures to adopt.
- Do I have to inform the other passengers?
If during the reservation process you provided data concerning other persons (e.g. credit cards in the name of another person, family members or other passengers) we kindly ask you to also inform these people.
- Why do you hold my personal data?