The Agency for Digital Italy (AgID) says tens of thousands of high-resolution scans of passports, ID cards and other documents were lifted from hotel systems and advertised on the dark web between August 9 and 11.

AgID detected ‘illegal sales activity’ offering the trove, with listings priced from about €800 up to €10,000, according to Corriere della Sera. The seller, using the handle ‘médoc’(mydocs), claimed the stash was harvested after unauthorised access to hotel IT systems between June and August 2025.

Authorities say at least ten hotels are confirmed victims so far, but more could emerge. Among those named by Italian media: Ca’ dei Conti in Venice (around 38,000 images reportedly taken in July) and Hotel Continental in Trieste (about 17,000 documents), with further breaches flagged in Milano Marittima and on the island of Ischia.

Why this is serious: passport and ID scans are exactly what crooks need to forge documents, open bank or phone accounts, apply for loans, or hijack digital identities. AgID cautions victims could face financial losses and legal headaches if their data is misused.

Hotels routinely scan passports at check-in to meet local registration rules. Those scans are then stored on property systems or shared with third-party software for guest management and police reporting. If those systems aren’t properly secured — weak passwords, out-of-date software, exposed remote access – they become low-effort, high-value targets.

AgID’s early findings point to compromised hotel servers, with the data later bundled and offered to multiple buyers. The agency has pushed urgent guidance to hospitality operators and notified law-enforcement. Meanwhile, cybersecurity teams are tracing the listings and contacting identified venues.

This isn’t a one-off for the travel industry. Hotels and booking platforms are frequent targets, with past hits on Marriott, Caesars and Booking.com underscoring how coveted guest data has become for cybercrime.