EU, NATO

Diletta Fabiani
Research Fellow, Sasakawa Peace Foundation

printprint

Italy has recently been rocked by a major scandal involving severe data privacy violations. Although investigations are ongoing, the case already highlights critical lessons that other countries, including Japan, should consider when reflecting on their own data security practices.

Equalize and its alleged crimes

At the center of the case is Equalize, a Milan-based private intelligence firm led by Carmine Gallo, former police officer renowned for his successful career against organized crime in Northern Italy[1], and Enrico Pazzali, former Chief Executive Officer at Fiera Milano S.p.a. (one of Italy’s largest exhibitions organizers) and entrepreneur with previous prestigious roles and political connections[2]. On paper, Equalize operated like other investigation agencies: researching firms or individuals for private or corporate clients to uncover backgrounds and hidden information, and assess potential business risks. In Italy, such private investigative work is legal but strictly regulated[3]: for example, it is forbidden to collect information inside private residences or through unlawful access to secured computers[4]. While Italian data privacy regulations are less strict than those of other European countries[5], they broadly conform to the European Union’s General Data Protection Regulation, often considered the world’s toughest privacy law[6].

Equalize, however, allegedly ignored these regulations. Press reports indicate that from at least October 2022[7], Equalize accessed multiple databases run by Italian official administrative and governmental entities, including the National Institute for Social Security, the Revenue Agency[8], and the National Register of the Resident Population of the Ministry of the Interior[9]. Equalize also reportedly accessed the “Interagency Investigation System” (Sistema d’Indagine or SDI in Italian)[10], a database shared among law enforcement branches containing records on charges, suspects, passports, etc.[11], and linked to databases of other agencies, like the Department of Motor Vehicles[12]. Allegedly, Equalize also accessed the Bank of Italy’s “Suspicious Transaction Reports” (SOS), mandatory reports issued by financial entities for transactions possibly linked to illegal activities[13]. This data (possibly around 15 terabytes[14]of it) was ostensibly used by Equalize and at least 5 colluding firms[15] to compile illegal dossiers and satisfy clients’ requests. Hypotheses on the uses of these dossiers include extortion or blackmail[16], influence over official decisions, manipulation of investigations and trials[17], and leaks to investigative journalists[18].

Local and foreign actors involved

A complete list of Equalize’s clients is under investigation, but current defendants include personnel of Luxottica (a leading eyeglass manufacturer and retailer) and Barilla (a major pasta producer) among other top firms[19]. Also suggested are ties to organized crime and intelligence services[20]. Reports also hint at foreign clients, including intelligence agents of Israel’s Mossad allegedly seeking Equalize’s help to monitor actors in Russia and then share intelligence with contacts in the Vatican[21]. While the clients’ requests often had personal or internal corporate motivations, the roster underscores Equalize’s influence.

The list of alleged victims is equally high-profile, including Italian celebrities, journalists, local politicians and industry leaders[22], as well as Italy’s President Sergio Mattarella (whose e-mail address was reportedly breached or cloned), President of the Senate Ignazio La Russa, and former Prime Minister Matteo Renzi[23].

How did Equalize gain access to data?

Access to restricted data was allegedly enabled by IT consultant Nunzio Calamucci, who also led the team behind the “Beyond” platform, a system used to assemble stolen data and distribute it to clients[24] after erasing identifying information like metadata[25] that could expose its origins.

According to police, one of the methods used was a Remote Access Trojan (RAT) installed on a machine connected to the Ministry of the Interior’s network. A RAT is malware that allows remote control of a computer, enabling data theft, keystroke logging, and user monitoring[26]. In other cases, monitoring software was installed on the victims’ computers without their knowledge[27].

Corrupt insiders[28] likely installed RAT on the targeted systems, while several law enforcement officers allegedly accessed the highly regulated[29] SDI on Equalize’s behalf[30].
Gallo’s police experience in interagency cooperation[31] and Calamucci’s professional connections to database designers and hosts[32] may have eased access and allowed Equalize to obtain a copy of the data without raising any unauthorized access warnings[33]. Experts also point to a lax security culture where rules were treated as dismissible obstacles rather than safeguards[34].

Not the first case

Equalize’s case has recently begun to merge with probes into a similar, Rome-based clandestine private investigation agency called “Squadra Fiore[35].” Furthermore, other similar cases emerged in 2024. In September, Pasquale Striano, a lieutenant in the Italian Financial Police, was accused of illegally obtaining thousands of financial records and handing them to journalists. He justified his actions as routine for SOS investigations, but prosecutors argued that the volume of downloads (up to 10,000 files per day) suggested otherwise[36]. In October, former banker Vincenzo Coviello was accused of illegally accessing the account information of thousands of VIP clients. Authorities were alarmed that his access, seemingly driven by personal curiosity, continued unobstructed for months[37].

Lessons to learn

While the Equalize case is influenced by Italy’s unique context, it can offer valuable lessons in data security for other countries, including Japan.

The first lesson echoes an old question: who watches the watchmen? In Italy, authorities responsible for safeguarding sensitive data, including law enforcement, appeared to fail, be corrupted, or dismiss warnings as mere nuisances. Ensuring strong checks and balances is vital to uphold integrity standards for those working around sensitive data. While Italian intelligence authorities have now issued stricter access control and system design guidelines[38], other countries should preemptively act to avoid similar scandals, and consider designing failsafes for scenarios in which the watchmen go astray.

Another lesson concerns the sharing of sensitive data. As Japan and other countries champion initiatives like “Data Free Flow with Trust” (DFFT) to promote international data sharing and collaboration[39], incidents like this case underscore the need for strong domestic data safeguards when demanding trust with international data. In terms of personal data, in Japan, the Act on the Protection of Personal Information (APPI) covers data subjects’ rights as well as requirements for business operators[40]. However, APPI enforcement mechanisms have been criticized as too weak to effectively incentivize better data security in businesses[41], and while strengthening amendments have been proposed, they are still under consideration[42]. Establishing secure practices and apt consequences for violations is crucial to foster a reliable global framework for data sharing: without a strong domestic foundation, the credibility and safety of initiatives like DFFT might be undermined.

The final lesson concerns the risk of the so-called “revolving doors,” where individuals move between roles in the public sector, such as government agencies, and positions in the private sector, particularly within related industries. This practice offers benefits, such as increases in networking potential, lobbying power, and access to government funding for the hiring firms[43]. Furthermore, “revolving doors” seem nearly inevitable in specialized fields like cyber security, given increasing demand for experts vis-a-vis their limited supply, and a return to the public sector after private sector work can provide diversified experience and skills[44]. However, this phenomenon can raise concerns about conflicts of interest[45] and, in cyber security, voluntary or involuntary transfer of sensitive information[46]. Thus, rules balancing risks reduction and flexibility must be created; they will depend on local contexts and laws, but examples include restrictions on transition periods and client access for individuals moving between public and private sector, as well as strict data management upon employees’ departures. Italy lacks regulations on “revolving doors[47],” which possibly contributed to Equalize’s alleged violations. Japan should be better prepared, given the enactment of laws in the 2000s to curb the similar practice of amakudari (meaning "descent from heaven”), where retired senior bureaucrats are preferentially hired in private sector industries they once oversaw[48]. However, as the scarcity of cyber experts will inevitably lead to a “revolving doors” environment, proper and timely oversight is needed to prevent misuse of sensitive data.

In conclusion, a country's approach to data privacy must balance flexibility and oversight, and cases like Equalize can help us learn how to strengthen regulations and prevent violations.

(2025/03/28)

Notes

  1. 1 Il Sole 24 Ore, “Inchiesta hacker: i dossieraggi, i clienti e le vittime. Cosa sappiamo finora” (Hacker investigation: illegal dossiers, clients, and victims. What we know so far), October 29, 2024.
  2. 2 Alessandro Patella, “Chi è Enrico Pazzali, il manager a capo del gruppo accusato di spiare i politici” (Who is Enrico Pazzali, the manager leading the group accused of spying on politicians?), Wired, October 28, 2024.
  3. 3 Laws regulating investigations include the Italian laws cited hereafter.. Data privacy laws by the Italian Data Protection Authority (see next note) and the European Union, and regulations by trade associations also help regulate the field.Gazetta Ufficiale, “Regio Decreto 18 giugno 1931, n. 773” (Royal Decree June 18, 1931, no. 773); Gazetta Ufficiale, “Ministero Dell’Interno – Decreto 1 dicembre 2010, n.269” (Ministry of the Interior - Decree No. 269, December 1, 2010); Federpol, “Codice Etico-Deontologico Federpol 2021” (Federpol’s 2021 Ethics Code)
  4. 4 Garante Privacy, “Regole deontologiche relative ai trattamenti di dati personali effettuati per svolgere investigazioni difensive o per fare valere o difendere un diritto in sede giudiziaria pubblicate ai sensi dell’art. 20, comma 4, del d.lgs. 10 agosto 2018, n. 101 - 19 dicembre 2018” (Ethical rules on processing personal data for defensive investigations or to assert or defend a right in court, published pursuant to Article 20(4) of Legislative Decree No. 101 of August 10, 2018, December 19, 2018); Codice Penale, Art. 615 ter (Penal Code, Article 615 Third).
  5. 5 Bart Custers, Francien Dechesne, Alan M. Sears, Tommaso Tani, Simone van der Hof, “A comparison of data protection legislation and policies across the EU,” Computer Law & Security Review, Vol 34 Issue 2, April 2018, 234-243.
  6. 6 Ben Wolford, “What is GDPR, the EU’s new data protection law?”, GDPR.eu
  7. 7 Sky TG24, “Inchiesta dossieraggio, cos'è e cosa è successo: dagli hacker coinvolti agli spiati,” (Investigation on illegal dossiers: what it is and what happened, from hackers to victims), October 28, 2024.
  8. 8 Il Post, “Da dove vengono questi dati rubati allo Stato” (Where does the stolen state data come from), October 29, 2024.
  9. 9 In Italy, the Ministry of Interior oversees internal and public security, handles a variety of documents such as passports, and controls the State Police, the Firefighters Department and the Civil Protection Department. Il Sole 24 Ore, “Inchiesta Hacker.”
  10. 10 Ibidem
  11. 11 Riccardo Piccolo, “Sdi, come funziona la banca dati più sensibile delle forze dell'ordine che è stata ‘violata’” (Sdi, how the most sensitive “hacked” law enforcement database works), Wired, October 28, 2024.
  12. 12 Il Post, “Da dove vengono questi dati.”
  13. 13 Unita di Informazione Finanziarie per l’Italia, “The reporting of suspicious transactions.”
  14. 14 Philip Wilan, “Italian police arrest four after president’s email ‘hacked’,” The Times, October 27, 2024.
  15. 15 Matteo Runchi, “Dossieraggio sui politici, come Equalize violava le più importanti banche dati dello Stato” (Illegal dossiers on politicians: how Equalize hacked key state databases), QuiFinanza, October 28, 2024.
  16. 16 Sky TG24, “Inchiesta dossieraggio.”
  17. 17 Alexander Martin, “Dozens under investigation in Italy amid scandal over hacked government databases and illegal dossiers”, The Record, October 28, 2024.
  18. 18 Gabriele Caramelli, “Nuova bufera su Report per i “dossier” di Equalize. Il giornalista Mottola nega e annuncia querela” (More turmoil for Report over Equalize’s ‘dossiers’: journalist Mottola denies and sues), Il Secolo d’Italia, December 17, 2024.
  19. 19 Il Sole 24 Ore, “Inchiesta hacker.”
  20. 20 Sky TG24, “Inchiesta dossieraggio.”
  21. 21 Hannah Roberts and Antoaneta Roussi, “Vatican, Israel implicated in Italy hacking scandal, leaked files reveal,” Politico, November 1, 2024.
  22. 22 Sky TG24, “Inchiesta dossieraggio.”
  23. 23 Il Sole 24 Ore, “Inchiesta hacker.”
  24. 24 Giorgia Venturini, “Chi è Nunzio Calamucci, l’hacker di Equalize a cui i clienti si rivolgevano per lavori milionari” (Who is Nunzio Calamucci, Equalize’s hacker clients hired for million-dollar jobs?), Fanpage.it, October 30, 2024.
  25. 25 Matteo Runchi, “Dossieraggio sui politici”
  26. 26 Malwarebytes Labs, “Remote Access Trojan (RAT).”
  27. 27 Il Sole 24 Ore, “Inchiesta hacker.”
  28. 28 Paolo Ottolina, “Dossieraggio e hacker, come tutelarsi dagli ‘spioni’ e le parole per capire il caso Equalize (da Sdi a Rat)” (Illegal dossiers and hackers: how to protect yourself from 'spies' and key terms to understand the Equalize case, from Sdi to Rat), Corriere Della Sera, October 27, 2024.
  29. 29 Riccardo Piccolo, “Sdi, come funziona.”
  30. 30 Il Post, “Da dove vengono questi dati.”
  31. 31 Francesco Bechis and Valeria Di Corrado, “Dati rubati, così gli ex agenti segreti bucavano il Viminale: ‘Cortocircuito del sistema’. Il trucco di Calamucci: ‘La manutenzione’” (Stolen data, how former secret agents penetrated the Ministry of the Interior: ‘System's short-circuit’. Calamucci's trick: ‘Maintenance’), Il Messaggero, October 31, 2024.
  32. 32 Philip Wilan, “Italian police arrest four.”
  33. 33 Paolo Dimalio, “Spioni negli archivi riservati? Gli esperti: ‘Colpa dei dipendenti infedeli, la favola degli hacker copre l’omessa vigilanza ai piani alti’” (Spies in confidential archives? Experts: 'Blame untrustworthy employees, the hackers’ story hides failure to supervise at the top'), Il Fatto Quotidiano, November 12, 2024.
  34. 34 Ibidem.
  35. 35 Giuliano Foschini, “I dossier sui politici della squadra Fiore, si indaga sui legami con l’intelligence” (Squadra Fiore dossiers on politicians, intelligence ties under investigation), La Repubblica, February 3, 2025.
  36. 36 Giovanni Bianconi, “Dossieraggi, 230 mila gli atti scaricati e altri accessi su Crosetto. Cantone: attività inspiegabile” (Illegal dossiers, 230,000 records downloaded and other accesses on Crosetto. Cantone: inexplicable activity), Corriere Della Sera, September 24, 2024.
  37. 37 Luca Pons, “Inchiesta Bari, ora è indagata anche Intesa Sanpaolo nel caso del bancario che spiava i conti dei vip” (Bari inquiry: Intesa Sanpaolo now under investigation in case of banker spying VIPs' accounts), Fanpage.it, October 14, 2024.
  38. 38 Ivan Cimarrusti, “Database di Stato violati, informazioni protette su più livelli di controllo” (State databases hacked, multi-layered information protection), Il Sole 24 Ore, December 3, 2024.
  39. 39 Japan Digital Agency, “Overview of DFFT.”
  40. 40 Hemangi Gokhale, “Improving Data Privacy for Japan - APPI and GDPR Case Study,” The Economic Review of Japan University of Economics, Vol 52 No.1 (December 2021), 159-166.
  41. 41 Ibidem.
  42. 42 Hiroyuki Tanaka, Kohei Shiozaki, “Japan's DPA publishes interim summary of amendments to data protection regulations,” International Association of Privacy Professionals, July 11, 2024.
  43. 43 Sharon Belli and Jan Beyers, “The Revolving Door and Access to the European Commission: Does the Logic of Influence Prevail?,” Journal of Common Market Studies, vol. 62 no.1 (2024), 186-204; Trevor Incerti, “Who benefits from the revolving door? Evidence from Japan,” OSF Preprints, November 21, 2024.
  44. 44 Mark Pomerleau, “New DOD cyber workforce strategy aims to ease revolving door between government and industry,” Fedscoop, March 10, 2023.
  45. 45 LobbyFacts.eu, “The revolving door – from public officials to Big Tech lobbyists”, Corporate Europe Observatory, September 20, 2022.
  46. 46 Sandro Gaycken, “Unlearned Lessons: Why They are so Hard to Learn, and What Could Actually Help,” The Cyber Defense Review, Vol 7 No1, Winter 2022, p. 72.
  47. 47 Giuseppe Pipitone, “Porte girevoli tra politica e affari, la legge che non c’è: così ex ministri e parlamentari sono diventati lobbisti pagati dai privati” (Revolving doors between politics and business, the missing law: how former ministers and parliamentarians became lobbyists paid by private parties), Il Fatto Quotidiano, April 21, 2021.
  48. 48 Sota Kato, “Getting to the Root of Amakudari: Sweeping Reform Needed to Close the Revolving Door,” The Tokyo Foundation for Policy Research, June 13, 2017.