A threat actor has allegedly infiltrated the network of doValue, a leading Italian financial services company, and is claiming to have exfiltrated over 16 terabytes of sensitive data. The massive data cache, which allegedly includes information from doValue and its numerous subsidiaries across Southern Europe, was advertised for sale on a cybercrime forum. The perpetrator claims the data was sourced from the company’s entire Active Directory network, encompassing both database and file servers, suggesting a deep and widespread compromise of the firm’s digital infrastructure.
doValue is a major player in the European financial sector, specializing in the management of credit and real estate assets for banks and investors, with a primary focus on non-performing loans (NPLs). Headquartered in Italy, the Group operates in Spain, Portugal, Greece, and Cyprus, managing billions of euros in assets. The critical nature of its business means the company handles vast amounts of sensitive financial and personal data, making it a high-value target for cybercriminals. The alleged breach affects not only the parent company but also key subsidiaries including Italfondiario, doBank, doNext, and Altamira, amplifying the potential impact across multiple regions.
According to the threat actor’s post, the stolen data is extensive, and they have provided file tree listings from the compromised domains as a form of proof. The allegedly impacted internal domains include:
- altamira.local
- dobank.italfondiario.com
- dovalue.it
- dovaluegroup.local
- IBIS.italfondiario.com
- italfondiario.com