Communication to all data subjects who have provided personal data to Sapienza University (e.g., suppliers, professionals, others…) pursuant to Art. 34 of Regulation (EU) 2016/679.

In accordance with the provisions of Article 34 of EU Regulation 2016/679 (GDPR), Sapienza University of Rome announces the resolution of the cybersecurity incident related to the attack of February 1, 2026. From the very first hours following the event, updates were posted via official social media channels to provide information on service disruptions, restoration activities, and operational instructions. The closure of the incident, achieved on April 2, 2026, by the National Cybersecurity Agency (ACN), was reported to the Governing Bodies on April 9, 2026.
Please be informed that, in accordance with Article 33 of the GDPR, the event was duly notified to the Italian Data Protection Authority (Garante per la protezione dei dati personali).
The ransomware incident, originating from unauthorised access, constituted a personal data breach affecting the confidentiality and availability of the personal data processed by Sapienza. The attack involved approximately 400 servers (both physical and virtual), causing the disruption of key university services, including institutional portals and the InfoStud platform. Administrative workstations were also compromised. Following the incident, the data on the affected systems was found to be encrypted.

To limit potential prejudicial effects resulting from the attack, our university technicians—working in close collaboration with experts from the National Cybersecurity Agency—promptly implemented procedures to isolate the involved systems and progressively restore infrastructure and services.  These activities focused on resetting systems from available backups after verifying their correct functioning and data integrity. Concurrently with the restoration, additional security measures were implemented to strengthen the defensive posture of the entire network. 

With reference to the personal data involved in the breach, which resulted in the loss of confidentiality (unauthorised access) and availability (temporary inability of authorised individuals to access the data), the analyses conducted and the evidence currently available indicate that the unauthorised access affected data residing on Sapienza’s official file-sharing system for the central administration and on the individual workstations of Sapienza’s technical and administrative staff.

In view of the scale of the attack and the systems involved, the categories of personal data potentially affected by the breach may include:

• personal identity details;
• contact data;
• access and identification data;
• payment data;
• data relating to the provision of an electronic communication service;
• data relating to criminal convictions and offenses or connected security measures;
• data relating to identification documents;
• data relating to health.

The investigations carried out following the incident have not identified any evidence that such specific data was stolen and publicly disseminated or used for fraudulent purposes. Sapienza is therefore issuing this communication as a precautionary measure and to recommend paying the utmost attention to any suspicious communications, requests for sensitive data, or unusual actions received via email or telephone.

Should further information emerge concerning the potential effects of the attack in relation to the personal data involved in the breach, Sapienza will provide timely updates.

Please be reminded that each data subject has the right to exercise the rights provided for in Articles 15-22 of the GDPR (access, rectification, erasure, restriction, portability, objection) by contacting the Data Protection Officer (DPO) at the contact details listed below. Each data subject also has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali - www.garanteprivacy.it).

For any clarification or information regarding this communication and, more generally, the processing of personal data by Sapienza, the Data Protection Officer (DPO) can be reached at the following contact details:

Email: responsabileprotezionedati@uniroma1.it

Certified email: rpd@cert.uniroma1.it