By early August 2022, investigators from the Milan Postal Police, led by director Tiziana Liguori, were already building a case file for the Milan Prosecutor's Office, which was evaluating charges against unknown parties. There was nothing ambiguous about what they were looking at. Sources: La Repubblica
280 gigabytes. 970,000 files. Data tied to approximately 800,000 individuals: insurance policies, personal records, almost certainly medical information. This wasn't a smash-and-grab. It was the result of sustained, undetected access, with enough time to move through the network, identify what was worth taking, and extract it cleanly.
For an insurance company, those files aren't just operational data. They are the relationship with every client, encoded in documents that European law classifies as special category data: health records, financial information, claims history. Losing them means fighting on three fronts at once: the data protection authority, the clients, and the lawyers.
What would have happened if CyberGrant had been active when the attacker started moving?
The initial access vector was never publicly disclosed. Law enforcement likely identified it, but the details remain sealed. What the numbers make clear is what happened after access was gained.
Moving 280 gigabytes of structured documentation requires stable network access, enough time to navigate multiple repositories, and no monitoring system flagging the transfer. At Vittoria Assicurazioni, all of those conditions held long enough for the operation to complete. The likely sequence: initial access via valid or stolen credentials, lateral movement toward document repositories, systematic collection of files, exfiltration to external infrastructure. No sophisticated exploit required. This kind of attack works when data has no native protection and when security controls are built entirely around the network edge.
Insurance organizations are, by nature, data-heavy. Every client file contains personally identifiable information. Medical underwriting data, claims records, financial details: the kind of data regulators treat with specific obligations. The prevailing security model in this sector is still perimeter-based: verify who gets in, then trust what's inside. That model holds until the perimeter fails. When it does, the data is sitting there, readable, exportable, and ready to use. That's what happened here.
GDPR Articles 25 and 32 require data protection by design and by default, with technical measures appropriate to the sensitivity of the data being processed. With health and financial records for 800,000 people in scope, the bar is not ambiguous. The absence of native file encryption, the lack of access segmentation by content sensitivity, and no alerting on abnormal transfer volumes point to a compliance posture that existed on paper but hadn't been translated into operational controls on the data itself.
Exfiltration is the last step in the attack chain. It's also the step that converts a technical breach into real-world harm. FileGrant breaks that conversion.
Every sensitive document gets encrypted at the point of ingestion. That protection travels with the file regardless of where it goes: internal servers, cloud storage, email, remote devices. The attacker could have collected all 970,000 files. But 280 gigabytes of post-quantum encrypted documents, without the decryption keys, have no market value. They can't be read, sold, or used as leverage. The Lock&Go mechanism keeps the encryption enforced after the file leaves the corporate environment, because the protection lives in the data itself, not in the network perimeter.
The regulatory implication is direct. GDPR Article 34(3)(a) exempts organizations from the obligation to notify affected individuals when exfiltrated data has been rendered unintelligible to unauthorized parties. The operational difference between notifying 800,000 clients that their medical and financial records are in unknown hands versus managing the incident with a notification to the supervisory authority alone is significant, in legal costs, reputational exposure, and control over the public narrative.
Concrete advantage: the exfiltration produces no usable value, and the threshold triggering individual notification under GDPR Art. 34 is not reached.
970,000 files don't get classified by hand. Manual classification is incomplete by design: the most sensitive documents end up treated as ordinary ones, access restrictions stay broad, and the archive remains flat. An attacker with mid-level credentials can move between repositories without encountering meaningful barriers.
AIGrant solves this upstream. It reads document content, assigns sensitivity levels automatically, and applies access controls consistently, without waiting for human intervention. No documents fall through because no one had time to tag them. In Vittoria Assicurazioni's case, files containing health data and policy records would have been segregated and accessible only to roles with an operational need. A compromised mid-level account would not have been able to systematically harvest the entire document archive: restricted sections would have been inaccessible, and any attempt to escalate privileges would have been logged.
Concrete advantage: the exposed surface shrinks structurally. A single compromised account doesn't open everything, and attempts to widen access become visible before the exfiltration scales.
If initial access came through a compromised endpoint or an active remote session, the problem wasn't just the access itself. It was the unconstrained movement that followed. RemoteGrant applies endpoint-level controls that limit what an authenticated session can actually do, even from inside the network. A user accessing multiple repositories in rapid sequence and generating transfer volumes inconsistent with their operational history is a recognizable signal. Catching it doesn't require a dedicated analyst — it requires a system configured to surface it before 280 gigabytes are already gone.
Concrete advantage: the breach is detected while it's still containable, not after it's complete.
With CyberGrant active, the initial access could still have happened. That's the honest starting point for any analysis of this kind, and it's worth stating plainly.
What changes is the chain of consequences. Files are encrypted: the attacker walks away with data they can't use. AIGrant has segmented the archive: compromised credentials don't open everything, only what they were explicitly authorized to access. RemoteGrant flagged the anomaly: the exfiltration gets interrupted before it reaches the documented scale. The result is not the absence of an incident. It's a contained incident, with unusable data, no obligation to notify 800,000 clients, and a defensible position with the supervisory authority.
CyberGrant doesn't eliminate risk. It turns risk into something measurable and controllable.
A strong perimeter isn't enough if everything inside it is readable. The operational question for every CISO in the insurance sector is concrete: if one account is compromised, how many sensitive files are accessible and readable without additional barriers? If the answer is more than a handful, the perimeter is the only line of defense. That's not a strategy.
At document scale, manual classification is a liability. An access policy built on incomplete classification protects only part of the archive, and not necessarily the most exposed part. Automating classification isn't an optimization — it's the precondition for access controls that actually work.
The audit trail matters as much as the technical controls, especially when investigators arrive. Who accessed what, when, and for how long: those questions come early. Without a complete log, incident response slows down and the position with the supervisory authority becomes harder to defend over issues that were avoidable.