Skip to content

CyberGrant protects every aspect of your digital security

Discover the modular solutions designed to protect your company from external and internal threats, as well as new challenges like AI.

key-minimalistic-square-3-svgrepo-com

Digital asset protection

Automatic classification

Cloud encryption

Email protection

Anti-phishing

password-minimalistic-input-svgrepo-com

RDP protection

Access rules

Stolen Device

Internet access

email grant

Post-send control

Protected Attachments

Human error

Advanced encryption

laptop-svgrepo-com (1)

Malware blocking

Insider threat

Remote access

Application control

Zero trust

Zero-day defense

pulse-svgrepo-com

Device control

Shared files

password

Company vault

Controlled sharing

Zero-trust encryption

Logging and generation

share

Third-party users

RBAC

Anti-AI scraping

VDR

medal-ribbons-star-svgrepo-com

Standards

Compliance risks

bot-svgrepo-com

AI control

Automated classification

AI blocking 

magnifer-bug-svgrepo-com

Surface scan

Vulnerability check

Pen Test

Ransomware simulation

Phishing test

DDoS simulation

 

Tailored cybersecurity for every business.
Scalable solutions compatible with legacy systems, designed for both SMEs and large enterprises requiring full control over data, access, and sharing.


IT
Consulting
Travel
Advertising

Construction
Real Estate

Oil & Gas
Electricity
Telco

E-commerce
Transportation
Shipping
Retail chains

Design
Automotive
Industrial

Central agencies
Local agencies
Supranational orgs

Discover security features to protect your data, files, and endpoints

FileGrant
FileGrant

Securely store, share, and manage your files with an advanced, easy-to-use, and highly customizable platform

 

SG_pittogramma_blu
SecretGrant

Control every credential like a file. Share, track, and revoke access instantly.

 

RemoteGrant
RemoteGrant

RemoteGrant protects your business from attacks and data loss by enabling employees to securely access workstations and files from anywhere.

 

EmailGrant
EmailGrant

Encrypt every email and keep control of attachments, even after sending.

 

AG_pittogramma_blu
AIGrant

AIGrant is your personal assistant - it understands your data, keeps it secure, and delivers exactly what you need.

 

AdobeStock_1918824452-dataBreach-2
Valerio PastoreJul 10, 2026 11:57:02 AM9 min read

Booking, Eataly, Trenitalia: why stolen data was readable

Booking, Eataly, Trenitalia: why stolen data was readable
13:07

Three breaches. Three different infrastructures. One repeated blind spot. In each case, customer records were stored in cleartext. When attackers crossed the perimeter, they found no second barrier. That absence, not the method of entry, determined the damage.

Key takeaways

  • Booking, Eataly, and Trenitalia each protected passwords and payment data, then left everything else unencrypted: names, identity documents, travel records, tax codes, purchase histories.
  • A name paired with a transaction, a document number, or a travel route is not a neutral data point. It is a profile, and profiles are the raw material of targeted phishing.
  • With Booking, WhatsApp fraud campaigns launched within hours of the breach, before the company completed its customer notifications. When data sits in cleartext, an incident has no closing date.
  • Trenitalia faces an additional layer: rail transport is classified as a highly critical sector under Annex I of the EU’s NIS2 Directive, transposed into Italian law as Legislative Decree 138/2024. Encryption and access controls are explicit requirements, with direct liability for senior management.
  • According to the Verizon DBIR 2026, third-party involvement in breaches rose to 48%, up from 30% the prior year. Limiting the damage after a perimeter breach is now as urgent as trying to prevent one.
  • File-centric protection encrypts data at the point of creation. Even if an attacker gets through, the data remains unreadable to anyone without authorization.

 

 

What happened, and why three incidents are really one incident

On April 12, 2026, tens of thousands of Booking.com users received breach notifications: names, emails, phone numbers, and reservation details had been accessed by unauthorized parties. Payment data was excluded. Everything else was exposed in cleartext. I wrote about it at the time, arguing that protecting systems is not enough if the underlying data is not protected (covered also in Finanza Flash).

Weeks later, Eataly’s e-commerce platform was hit. Names, birthdates, tax identification codes, addresses, and purchase histories were readable without any intermediate decryption step, as I noted for Wired Italy. Then Trenitalia, with travel ticket data exposed: full names, birth dates and locations, contact details, routes, identity document numbers, and employers.

Each time, the corporate communication offered the same reassurance. Payment credentials were not affected. That is true, but it is a credit to payment processing architecture, which applies class-specific protections to that data type by design.

 

Why cleartext personal data causes more damage than it looks

Breaches are often framed as contained events: someone got in, took something, now manage the fallout. That framing collapses when the stolen data is in cleartext. The incident does not close. A name linked to an address, a travel route, or a transaction is a profile. A profile enables phishing, and in the right hands it becomes a fraud campaign that runs for months.

With Booking, the mechanism was visible in near real time. WhatsApp messages that cited the hotel name, the check-in date, and the correct phone number. Not generic phishing, but fraud built on the victim’s actual reservation data. Trenitalia itself, in its customer notifications, warned users to be suspicious of any contact referencing their actual journeys, which is a precise anticipation of what was coming. Stolen data becomes the script for the scam. Recipients have no way to distinguish it from a legitimate message.

 

The problem is not just how the attacker got in

“Unauthorized access to certain personal data.” The same phrase appears in all three communications, and what it obscures matters. When an attacker reaches a customer database, it means those records were accessible within the system to someone who should not have had access. Access controls exist precisely for this: to ensure each file is readable only by those with authorization, so a compromised account does not open the entire database.

When someone enters via a stolen credential or an exploited vulnerability and finds thousands of customer records in cleartext, the problem extends well past the entry point. There was no second barrier: no granular permissions at the record level, no encryption that made what the attacker could read worthless. The human element remains the primary attack vector. According to the Verizon DBIR 2026, the human element is present in 62% of breaches, and third-party involvement rose to 48%, doubling from 30% the prior year. I explored the specific role of encryption in a DLP context in this earlier piece.

 

Trenitalia and NIS2: an additional accountability layer

With Booking and Eataly, the issue was corporate responsibility toward customers. With Trenitalia, regulatory liability enters the picture. Rail transport is classified as a highly critical sector under Annex I of the EU’s NIS2 Directive, transposed into Italian law as Legislative Decree 138 of September 4, 2024 and in force since October 16, 2024. An operator of Trenitalia’s scale qualifies as an essential entity under that framework, which means enhanced obligations: risk management, access controls, encryption, incident notification, and direct liability for senior executives. The ACN Determination 127437 of April 13, 2026 (Italy’s National Cybersecurity Agency) raised the bar further, shifting from declared compliance to demonstrable resilience, with explicit focus on supply chain data protection. For a concrete breakdown of what NIS2 means for file sharing specifically, see our guide to secure file sharing under NIS2 in 2026, and for how these requirements translate into an operating model, our NIS2 and GDPR governance guide.

The required notifications to Italy’s Data Protection Authority (Garante per la Protezione dei Dati Personali) and CSIRT Italy were made. The question NIS2 actually poses remains unanswered. If encryption and access controls are explicit requirements, why were customer records readable without any intermediate step once the perimeter was crossed?

 

What happens to data when access occurs anyway

No platform handling millions of records can guarantee that no one will ever get in. That is not a question of budget, team competence, or technology choice. It is a property of connected infrastructure. Perimeter security and access monitoring reduce the probability of intrusion. But if the data at the center of the system is unencrypted, every perimeter control remains a partial measure.

The more useful question is not how to prevent access, but what happens to data when access occurs anyway. If data is encrypted natively, at the point of creation, and remains unreadable to anyone without authorization, the breach becomes operationally irrelevant. The attacker gets in but finds nothing usable. Those WhatsApp messages with real reservation details would not have been possible. The attack might still have succeeded, but the extracted data would have been worthless outside its authorized context. That is the logic of data-centric protection. You do not defend the exit. You protect the file at birth.

 

How CyberGrant protects data beyond the perimeter

CyberGrant’s data-centric approach starts from that question. Rather than chasing data along every possible exfiltration path, it makes data secure at creation so the protection travels with it: on the device, in the cloud, in a third party’s hands, on a remote machine.

Applied to the cases above, that means three things in practice.

Encryption at creation, including post-quantum. Data enters a natively encrypted vault. The quantum-safe encryption layer uses CRYSTALS-Kyber, the NIST-standardized algorithm (FIPS 203 / ML-KEM), and addresses the “harvest now, decrypt later” threat directly: attackers collecting encrypted data today cannot decrypt it tomorrow when quantum computers arrive. An exfiltrated customer record stays unreadable outside its authorized context.

Granular access controls. Role-based access controls (RBAC) and file-level permissions ensure that a single compromised account does not unlock the entire archive. That second barrier was absent in all three cases.

Post-sharing revocation and audit trail. The data owner can revoke access to a file after it has already been sent, and can reconstruct exactly who accessed what and when — a central requirement for the incident notification processes mandated by both NIS2 and GDPR.

CyberGrant does not replace perimeter defenses. It complements them, covering what the perimeter alone cannot protect. We cover this approach in depth in the CyberGrant file-centric DLP whitepaper. Encrypting data at rest is not an optional component to defer to a future roadmap. For any organization handling personal data at scale, it is the minimum condition of responsible data stewardship. Booking, Eataly, and Trenitalia are not edge cases. They are the default outcome, as long as the underlying assumption holds: that the perimeter is enough.

 

FAQ

 

What does “cleartext data” mean in a breach?

It means that once an attacker crossed the perimeter, records were readable and immediately usable with no decryption required. At Booking, Eataly, and Trenitalia, passwords and payment data were protected. Personal records (names, identity documents, travel routes, tax identification codes) were not. That is why they became usable for fraud within hours of each breach.

Why are names and email addresses dangerous when stolen?

In isolation, a name carries low risk. Combined with a travel date, a hotel name, and a phone number, it is a ready-made fraud script. Attackers used Booking reservation details to send WhatsApp messages indistinguishable from legitimate hotel communications. Recipients had no way to tell the difference, because the messages referenced their actual data.

Is encrypting personal data a legal requirement?

No regulation mandates a specific algorithm, but both applicable frameworks require protection proportionate to the risk. The GDPR (EU Regulation 2016/679, Article 32) treats encryption as an appropriate technical measure for personal data. Italy’s NIS2 transposition (Legislative Decree 138/2024) makes it an explicit requirement for essential entities, a category that includes Trenitalia as a rail operator.

What is the difference between file-centric protection and perimeter security?

Perimeter security reduces the likelihood of unauthorized access. File-centric protection encrypts data at creation and keeps it encrypted wherever it travels, so even if the perimeter fails, the file is unreadable to anyone without authorization. The difference is between managing the probability of a breach and making the contents of a breach worthless.

What NIS2 obligations apply specifically to Trenitalia as a rail operator?

Rail transport is classified as a highly critical sector under Annex I of NIS2, transposed into Italian law as Legislative Decree 138/2024. As an essential entity, Trenitalia is subject to enhanced obligations including: encryption of data in transit and at rest, access control and identity management, operational logging and incident management, and supply chain security. The ACN Determination of April 13, 2026 clarified that compliance must be demonstrable through verifiable evidence, not simply declared. Full implementation is required by October 2026.

What is post-sharing revocation, and how would it have changed these breaches?

Post-sharing revocation allows the data owner to revoke access to a file after it has been shared or downloaded, even if it sits on an external system. In a breach like Booking’s or Trenitalia’s, this means files already shared with third parties can be locked immediately, without waiting for those parties to delete them. The associated audit trail provides a record of who accessed each file and when — exactly the evidence required for breach notification to regulators under both NIS2 and GDPR.

Does file-centric protection require replacing tools already in use, like SharePoint or Teams?

No. FileGrant does not replace existing collaboration platforms; it adds a protection layer on top of them. Encryption, access controls, and post-sharing revocation follow the file regardless of how it is shared: via email, Teams, or direct link. The user experience does not change. What changes is that a compromised account no longer unlocks the entire archive.

avatar
Valerio Pastore
Valerio Pastore is a cybersecurity expert and patent inventor in the data protection field. Founder of CyberGrant, he's developed innovative technologies for Data Loss Prevention (DLP), AI-driven security, and quantum-proof encryption, as well as advanced anti-scraping systems.

ARTICOLI CORRELATI