Wind Tre: €1.715M for unprotected APIs and poor key management
Italy’s DPA fined Wind Tre €1,715,600 for security gaps: weak certificate/key management and APIs lacking basic controls, leading to data exfiltration affecting 365,048 customers (41,359 with payment data).
On 16 July 2026, Italy’s data protection authority (Garante) published a €1,715,600 penalty issued on 14 May 2026 against telecom operator Wind Tre S.p.A. Two notified breaches (20 and 28 February 2025) are at stake: after an initial illicit access (23 customers), a second incident triggered nearly 2 million enumeration requests against “secondary” APIs, exposing data of 365,048 customers, including 41,359 with payment-related information (IBAN, postal payment slip, card with masked PAN and expiry date).
What happened
The authority found weak certificate and key management and the absence of basic API controls (rate limiting, CAPTCHA), which enabled large-scale exfiltration. The fine includes corrective orders within 30 days and publication of the decision.
Legal basis
Violations concern integrity and confidentiality (Article 5(1)(f)) and security of processing (Article 32(1)(b)) under the GDPR. The amount relies on GDPR Article 83 criteria (paras. 1–2), the applicable cap (para. 5), and Article 83(3) for multiple infringements relating to the same processing. Orders and the fine rely on Article 58(2)(d) and (i). See the GDPR Articles 5(1)(f) and 32 for the detailed framework.
What this means for Luxembourg-based companies
Key message: authorities now penalize basic engineering gaps in authentication chains and API security, even when the initial vector is social engineering at a distributor. For groups operating in Luxembourg (telecoms, financial services, retail, energy) with branch or reseller networks, exposure is twofold: GDPR controller responsibility across all point-of-sale channels and providers, and technical evidence under Article 32 (certificate/key hygiene, identity management, API hardening, targeted tests). Expect CNPD/CNIL/APD to assess your measures from this angle; for local context, see how to assess your cybersecurity capabilities in Luxembourg.
Immediate actions to take this week
- Inventory and classify all exposed APIs (including “secondary” ones), enforce rate limiting, CAPTCHA, enumeration detection and centralized logging; schedule API-specific penetration tests (OWASP API Security Top 10) and retain evidence. An API-focused cybersecurity audit can accelerate upgrades.
- Enforce strong control over certificates/keys and point-of-sale credentials: HSM/KMS vaulting, formal rotation and revocation, mandatory password manager for franchisees/agents, with evidence of application and audit.
- Refine GDPR playbooks: targeted data subject notification, post-incident risk assessment and measurable remediation plan; document proportionality of measures against Article 32 to withstand CNPD/CNIL/APD scrutiny.
Fine and factors
Amount: €1,715,600 (~0.04% of 2024 turnover; 1% of the €171.56M cap). Aggravating: number of data subjects and risk exposure. Mitigating: swift notification, cooperation, and post-incident measures.
Sources
- Garante Privacy – Newsletter of 16 July 2026 (10272004).
- Garante Privacy – Decision of 14 May 2026 (doc. web 10263796).
Want to prioritize your next steps? Reach out via our contact page.
Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →