Attack alert: datacarry targets Camomilla🇮🇹 - IT

Introduction

The ransomware group datacarry has claimed responsibility for a cyberattack against Camomilla, an Italian women's fashion brand founded in 1999 and employing between 100 and 250 people. Discovered on December 6, 2025, this breach affects a retail company generating €25 million in annual revenue. The incident, classified as SIGNAL level according to the XC-Classify methodology, potentially exposes customer data, e-commerce transactions, and sensitive personal information. This attack comes amid a surge in cyber threats targeting the fashion and e-commerce industry in Italy, where the protection of personal data is a major regulatory challenge under the GDPR.

The malicious actor datacarry uses a double extortion modus operandi that is particularly feared in the cybercriminal ecosystem. First observed in May 2025, this group quickly expanded its reach across Europe and beyond, with victims identified in Latvia, Belgium, Turkey, South Africa, Switzerland, Denmark, and the United Kingdom. Our analysis of verified data reveals that the group systematically exfiltrates information before encryption and then threatens to publish it via a portal hosted on the Tor network. This strategy forces compromised organizations to negotiate even if they have functional backups, as the leak of sensitive data often represents a greater reputational and legal risk than operational disruption.

Analyse détaillée

The diverse sectors targeted by datacarry demonstrate an opportunistic approach: insurance, healthcare, real estate, retail, and aerospace are among the industries affected. This versatility suggests that the malicious actor prioritizes access vulnerabilities over sectoral specialization. Examination of the compromised files shows that the group likely exploits classic initial attack vectors such as targeted phishing, exploitation of unpatched vulnerabilities in exposed systems, or the compromise of privileged accounts. The speed of its emergence and its multi-country deployment indicate a structured organization, potentially operating according to a Ransomware-as-a-Service (RaaS) model with affiliates deploying the malicious payload.

Camomilla🇮🇹 is an established player in the Italian women's fashion retail sector, with over 25 years of experience. Founded in 1999, the company has grown to employ between 100 and 250 people and generate annual revenue of €25 million. Its business combines physical retail in stores with an e-commerce platform, the latter representing a strategic growth driver but also a significant attack surface. The organization collects and processes customer data daily, including personal contact information, purchase history, payment information, and behavioral preferences for marketing personalization.

The compromise of a retailer of this size exposes several categories of critical digital assets. Customer databases typically contain full names, delivery addresses, phone numbers, and email addresses of tens of thousands of Italian and European consumers. E-commerce transaction management systems, while compliant with PCI-DSS standards for banking data, can reveal purchase metadata that can be exploited for targeted phishing campaigns or identity fraud. The potential impact also extends to internal operational data: supplier relationships, business strategies, employee HR information, and intellectual property related to fashion collections.

The exposure, classified as SIGNAL level according to the XC-Classify methodology, indicates a proven threat requiring heightened vigilance, although detailed technical data on the exact volume of exfiltrated information is still being analyzed. This criticality level reflects the sensitive nature of the personal information processed by a retail business, combined with its confirmed presence on the datacarry leak portal. The data suggests that the intrusion likely targeted the IT infrastructure hosting the e-commerce platform and customer relationship management (CRM) systems—critical points for any modern omnichannel retailer.

The precise timeline of the attack remains partially documented, with the public discovery dating back to December 6, 2025, via the group's claim of responsibility on the leak site. It is likely that the initial infiltration phase preceded this announcement by several weeks, during which time the attackers established their persistence, performed lateral reconnaissance of the systems, and exfiltrated the targeted data. This typical timeline for double extortion operations leaves victims with a limited window to react before the stolen information is actually published, generally between 7 and 14 days, according to practices observed among different ransomware groups.

Retail companies in Italy face a strict regulatory environment regarding the protection of personal data. The GDPR imposes notification obligations to the supervisory authorities (Garante per la protezione dei dati personali in Italy) within 72 hours of discovering a personal data breach. For Camomilla🇮🇹, this breach potentially triggers obligations to communicate directly with the affected individuals if the risk to their rights and freedoms is high, which seems likely given the nature of the data processed by a fashion retailer.

Beyond the GDPR framework, the NIS2 directive, transposed into Italian law, strengthens cybersecurity requirements for medium-sized entities operating in sectors considered essential or important. While retail is not systematically classified as a highly critical sector, retailers exceeding certain revenue thresholds or using large-scale digital platforms may be subject to incident reporting and technical compliance obligations. The financial consequences of such a compromise include potential regulatory fines of up to 4% of global annual revenue, technical remediation costs, notification expenses, and monitoring of affected individuals, not to mention the erosion of customer trust, which is difficult to quantify but strategically devastating for a fashion brand.

The Italian retail sector has experienced several similar incidents in recent years, creating a climate of heightened vigilance. The Camomilla compromise could trigger a chain reaction affecting logistics partners, payment providers, and technology suppliers sharing system interconnections with the brand. Competing retailers should consider this incident a wake-up call: attacks targeting the retail sector often follow waves targeting similar organizational profiles, with cybercriminals reusing attack vectors that have proven effective.

Thanks to the XC-Audit protocol, this attack is certified on the Polygon blockchain, guaranteeing immutable and verifiable traceability, unlike traditional opaque centralized systems. Every piece of evidence collected regarding the Camomilla compromise by Datacarry is timestamped and recorded via a cryptographic hash on this decentralized infrastructure, allowing any stakeholder to verify the authenticity and chronology of the information without relying on a single central authority.

Conclusion

This blockchain approach offers several critical guarantees in the context of Cyber Threat Intelligence. First, it prevents any retroactive modification of incident data, preserving the integrity of the evidence for potential legal proceedings or regulatory audits. Second, it establishes a verifiable date for the discovery and documentation of the threat, a crucial element for demonstrating due diligence to data protection authorities. Finally, the inherent transparency of the Polygon blockchain allows security researchers, cyber insurers and regulatory bodies to independently review incident metadata, promoting a coordinated response based on verifiable facts rather than unilateral statements.