Postel S.p.A. and the 2023 Data Breach: The Truth about the Medusa Attack and Sanctions from the Data Protection Authority

Postel S.p.A. and the 2023 Data Breach: The Truth about the Medusa Attack and Sanctions from the Data Protection Authority 1

In August 2023, Postel S.p.A., a leading Italian company in the postal services and digital communications sector, became the victim of a serious cyberattack. The Medusa cybercriminal group exploited unresolved vulnerabilities in the company’s systems, gaining access to a large amount of sensitive data. This breach raised significant concerns among both customers and regulatory authorities, eventually leading to a €900,000 fine imposed by the Italian Data Protection Authority (DPA).

The attack on Postel S.p.A. was enabled by the exploitation of three specific vulnerabilities, all linked to Microsoft Exchange Server software, a widely used platform for corporate communications and email management. Below is a detailed analysis of the vulnerabilities used by the Medusa group:

  1. CVE-2022-41080: This is a privilege escalation vulnerability on Microsoft Exchange Server. If exploited, this vulnerability allows attackers to gain privileged access, enabling them to execute arbitrary code on servers and potentially manipulate or steal sensitive data. Although Microsoft issued patches to address this vulnerability, it remained unresolved in Postel S.p.A.’s systems, creating an entry point successfully exploited by Medusa. Details on CVE-2022-41080.
  2. CVE-2022-41082: This vulnerability allows for remote code execution in Microsoft Exchange Server, bypassing authentication protections. This enables attackers to access server functions in an unauthorized manner, potentially obtaining complete control over the Exchange environment. Again, the lack of remediation of this vulnerability by Postel allowed Medusa to bypass security mechanisms and execute malicious code. Details on CVE-2022-41082.
  3. CVE-2022-41040: Identified as a Server-Side Request Forgery (SSRF) vulnerability in Microsoft Exchange Server, this flaw allows attackers to send malicious requests that the server executes, potentially gaining access to internal data. SSRF attacks are particularly dangerous because they exploit trusted relationships between servers and often allow attackers to circumvent firewalls and network restrictions. This vulnerability was also known and patched by Microsoft but was not promptly addressed by Postel, leaving an open path for the attack. Details on CVE-2022-41040.

The Medusa group had managed to exfiltrate and subsequently encrypt a total of 84 GB of data, comprising 40,310 folders and 157,189 files. The stolen data included not only Postel’s confidential business information but also highly sensitive personal data of approximately 25,000 individuals. Among the compromised data were:

  • Names and surnames
  • Dates of birth
  • Tax codes
  • Full residential addresses
  • Telephone numbers
  • Corporate and personal email addresses
  • SPID (Public Digital Identity System) access credentials
  • Plaintext passwords for servers and domains
  • Financial and tax documents, including pay slips, unique certifications, Form 730 and Form 740 tax returns
  • Medical documents, such as INPS certifications and occupational health surveillance reports
  • Administrative communications and accident reports sent to INAIL

These breaches of privacy not only endanger thousands of individuals but also put their personal and financial security at risk.

Under GDPR, a data breach must be reported to the relevant data protection authority within 72 hours of discovery. However, Postel S.p.A. notified the Italian DPA only on August 17, 2023, while Medusa claimed that DDoS attacks on Postel’s systems had started as early as August 10-12, 2023. This indicates that the data exfiltration may have occurred well before the GDPR-mandated reporting window, raising questions about the timeliness of Postel’s notification and its compliance with GDPR requirements.

SuspectFile.com: Is it true, as Postel claims in a statement, that the DDoS attacks were mitigated by their IT department or were you the ones who stopped the attacks?

Medusa Team: Postel: 8.10~12 We stopped D-dos.

Finished inside the network 10

Moreover, in a ruling dated July 4, 2024, the Italian DPA identified several GDPR violations on Postel S.p.A.’s part, including:

  • Article 5: Fundamental principles of data processing, including lawfulness, fairness, and transparency, were not adhered to.
  • Article 33: The failure to timely notify the supervisory authority of the breach represents a serious infraction.
  • Article 34: The failure to communicate the breach to the affected individuals prevented them from taking precautions to protect their data.

These violations led to the DPA imposing a €900,000 fine on Postel S.p.A., underscoring the seriousness of the incident and the company’s legal responsibilities regarding data protection.

According to a statement that Medusa had provided to SuspectFile.com at the time of the events via the Tox chat platform, Postel S.p.A. had engaged in negotiations with the ransomware group. According to its statement, Postel had indeed entered the cybercriminals’ negotiation chat.

SuspectFile.com: We would also like to know if you have had contact with one of their negotiators in the chat to negotiate the ransom?

Medusa Team: They came to the chat but didn’t negotiate deeply with us like price suggestion. They visited chat only, didn’t write a word.

This limited engagement may have reflected either an absence of a clear negotiation strategy or hesitation in addressing the crisis, raising concerns about Postel’s overall crisis management and its ability to respond effectively to such incidents.

The incident with Postel S.p.A. underscores the severe consequences of inadequate cybersecurity management and non-compliance with regulations. The unpatched vulnerabilities in Postel’s systems allowed attackers to exploit critical weak points, demonstrating the essential role of regular system maintenance and updates to avoid similar risks. The imposition of a €900,000 fine by the DPA serves as a reminder for all Italian companies that data privacy violations are taken seriously and carry both financial and legal consequences.

GDPR violations not only incur monetary penalties but also damage corporate reputation and customer trust. Data protection is not merely a technical issue; it is a legal obligation and an ethical commitment toward customers and employees. This case highlights how non-compliance with regulations can jeopardize not only business continuity but also the long-term reputation and sustainability of a company.

The Postel S.p.A. incident is a stark example of how devastating a cybersecurity breach can be for a company. The exploitation of known, resolvable vulnerabilities underscores the urgent need for rigorous, proactive cybersecurity strategies. Periodic audits, risk assessments, and careful vulnerability management are crucial to ensuring the security of corporate systems and protecting customer data.

The lesson for companies is clear: complying with data privacy regulations and adopting preventive measures are essential not only to avoid penalties but also to build and maintain customer trust in an era where personal data is one of the most valuable assets.

Cybersecurity is not an expense but an investment to protect a company’s future. Incidents like the one involving Postel S.p.A. should encourage businesses to strengthen their digital defenses, protecting both their data and their clients’ privacy.