Two cyber attacks that reveal the fragility of our digital defenses
In the increasingly connected world of cybersecurity, the most vulnerable are often the most appealing targets. Digital security is only as strong as its weakest link. And that link is almost always human.
The culture bonus theft: 500,000 euros stolen from eighteen-year-olds and the State
Imagine turning eighteen, finally receiving the long-awaited culture bonus – that little digital treasure of 500 euros meant to open the doors of knowledge – and discovering that someone stole it before you could even spend it.
This is what happened to hundreds of young Italians registered on the 18app platform that distributes the bonuses. A massive scam against the youngsters but, in fact, against the State.
An operation that involved at least fifteen people in different Italian regions, all investigated for conspiracy in computer fraud and aggravated fraud. The criminals acted with surgical precision, posing as reliable entities like digital identity providers or banks. They cloned the SPID credentials of the newly adults to create parallel SPIDs with which they accessed the platform and cashed in the bonus, which was then spent in fictitious businesses linked to the same fraudsters.
The next step of the scam involved producing fake invoices to request and obtain refunds from the Ministry of Culture, thus turning the vouchers into cash.
It was not a random attack, but a targeted operation that exploited the relative digital inexperience of those entering the world of official digital identity for the first time.
The SPID, Public Digital Identity System, should be our secure passkey for online public services. Yet, this breach shows that even the most robust systems can collapse when the weak link is human: phishing, credential stuffing, social engineering; the tools of digital crime are many and constantly evolving.
Innocence violated: 8,000 children’s faces on the dark web
If the culture bonus theft affected young adults, the second case takes us to an even more disturbing territory: that of digitally violated childhood. The British educational platform Famly, used by nurseries and kindergartens to share photos and updates with parents, was the scene of a breach that exposed images of about 8,000 children.
The Radiant hacker group claimed the attack, and in a gesture as unusual as it is controversial, later apologized for spreading the children’s photos on the dark web.
A digital mea culpa that raises more questions than it resolves: can one really apologize after exposing thousands of children to the risks of the dark web?
Without taking any concrete action to restore the damage?
One thing is certain: the dynamics of the attack once again reveal the Achilles’ heel of modern cybersecurity: the human factor.
The breach occurred through the compromise of a single employee’s password. It took just one weak credential, the result of poor knowledge, carelessness, or perhaps outright corruption, to bring down the entire digital fortress like a house of cards and open the gates to unscrupulous criminals.
Moreover, the Famly platform itself was guilty of much negligence by not obscuring the faces of all those children captured. Two human errors combined to create irreparable damage.
The apologies from the Radiant group sound hollow in the face of the gravity of what happened. Once a child’s images end up on the dark web, there is no combination of keys or rewind that can erase that breach.
Similarly, the young Italians robbed of their culture bonus lost not only money and the opportunity to acquire new tools of knowledge but also a bit of trust in the digital system that should protect them.
The human factor: the most important gap to fill
These two cases, seemingly distinct, tell the same story: technology can be as sophisticated as we want, but digital security is only as strong as its weakest link. And that link is almost always human.
In the case of the cloned SPID, it was probably the young users – inexperienced in managing digital credentials – who fell into the fraudsters’ traps. In the Famly case, it took just one employee to inadvertently open the doors to a group of unscrupulous criminals.
The lesson is clear and always the same: it’s not enough to build secure systems if people are not adequately trained to use them consciously. Complex passwords, multi-factor authentication, constant vigilance against phishing – these, in the digital age, are no longer options, but necessities.
Thus, a cultural revolution in cybersecurity involving individuals, companies, and institutions is increasingly necessary.
Individuals must become aware that they are part of a complex and connected system and can no longer afford severe knowledge gaps in the IT world. Companies and institutions, especially those handling sensitive data, must adopt security protocols that go well beyond the bare minimum and commit to training their employees and collaborators accurately, extensively, continuously, personally, interactively. It is precisely these individuals who must transform from the weak link in the chain to the main sentinel.
Today, in this connected world, there are no spectators: we are all potential victims, or unwitting accomplices, of digital crime that can endanger the lives of individuals, the economy of a company, the reputation of an institution, and even the security of an entire State…
