Communication to the data subjects pursuant to Article 34 of EU Regulation 2016/679

We inform you, pursuant to Article 34 of EU Regulation 2016/679, that our company has suffered a cyberattack (ransomware) that affected the company’s servers and may have resulted in a possible breach of the personal data contained therein.

The investigations carried out revealed that the personal data breach may have occurred on 23/4/2024 and manifested on Sunday 5/5/2024, as access to the company’s IT systems was prevented on Monday 6/5/2024.

The described breach was promptly notified to the supervisory authority (so-called Data Protection Authority) on 8 May 2024 and reported to the competent authorities on 14 May 2024.

The perpetrators of the attack potentially had access to personal data stored on the affected servers. However, it was not possible to determine whether there was an actual exfiltration of data.

As soon as we detected the breach, we immediately appointed a specialized IT company that analyzed the attack to mitigate its effects. This company then restored the company’s IT system in the shortest possible time by creating a new secure IT network, into which all the data from the last backup performed on 03/05/2024 were gradually loaded; this allowed us to fully recover the availability of the data. To date, further investigations by the appointed IT company are still ongoing.

To prevent such incidents from occurring in the future, we are evaluating new security measures with the IT company to enhance the protection systems used.

We suggest that you pay particular attention to any emails, SMS, messages, or phone calls requesting personal data, carefully assessing the credibility of the requester. Beware of emails, SMS, and other messaging sources containing suspicious or unusual hyperlinks (links) or attachments.

Best regards,

Gedy S.p.a.