Skip to content
CBCyber Breaches
Search
RansomwareContained

Westpole LockBit ransomware — Italian PA outage (2023)

LockBit 3.0 encrypted the data centres of Italian cloud provider Westpole, taking down PA Digitale's Urbi platform — which serves 1,300 Italian public administrations including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, and the Ministry of Environment. Payroll, citizen services, and local-government workflows were degraded for weeks.

Victim
Westpole / PA Digitale (Urbi platform)
SectorGovernmentTechnology
CountryItaly
Threat actorLockBit

On 8 December 2023, the Italian cloud and managed-services provider Westpole was hit by LockBit 3.0 ransomware at 05:00. The encryption took down the data centres in Milan and Rome that host PA Digitale's Urbi platform — and through it the digital services of approximately 1,300 Italian public administrations, including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, the Ministry of Environment, and various regional bodies.

What happened

Westpole and PA Digitale together provide the digital substrate for a substantial share of Italian public administration. PA Digitale operates the Urbi platform — used by 1,300 PAs for routine workflows: payroll, citizen-services portals, document management, local-government accounting. When LockBit encrypted Westpole's hosting infrastructure, Urbi went with it.

Italy's national cyber agency, ACN, confirmed LockBit as the responsible operation within days. By 18 December, the practical concern in Italian press was straightforward: many of the affected municipalities scheduled their end-of-month payroll runs through PA Digitale, and payroll suddenly required manual workarounds.

Recovery was staged. Westpole brought back systems progressively; by mid-month, roughly 50% of systems were restored. Within the following weeks Westpole reported full data recovery for more than 700 national and local PA entities linked to the platform.

Impact

  • 1,300 Italian public administrations dependent on PA Digitale's Urbi platform affected.
  • 540 municipalities impacted.
  • Major national bodies including the Quirinale, ISTAT, the Bank of Italy, and the Ministry of Environment affected.
  • End-of-month municipal payrolls placed at risk; manual fallback required.
  • Staged recovery; ~50% systems back by mid-December; full data recovery for 700+ entities reported in following weeks.

Why it matters

Westpole is Italy's reference case for shared-services supply-chain ransomware: a single MSP outage cascading into a country-wide degradation of public services. It also demonstrated, in the European context, that municipal payroll depends on the same SaaS stack as routine document workflows — meaning the operational stakes go from "inconvenient" to "people don't get paid" within weeks of an outage. The case has shaped subsequent ACN guidance on critical-supplier classification and audit obligations.

Timeline

  1. LockBit 3.0 ransomware activates at 05:00 inside Westpole's data centres in Milan and Rome, encrypting infrastructure that hosts PA Digitale's Urbi platform.

  2. PA Digitale services begin to fail across customer public administrations. Affected entities include the Quirinale presidency, ISTAT, the Ministry of Environment, the Bank of Italy, regional councils, and ~540 municipalities.

  3. Italian press reports the outage in detail; ACN (Agenzia per la Cybersicurezza Nazionale) confirms LockBit as the responsible operation.

  4. Press warns that municipal payrolls scheduled for the end of December are at risk; manual fallback processes initiated.

  5. Westpole staged recovery proceeds; Italian press reports approximately 50% of systems restored mid-month and full data recovery for more than 700 of the national and local PA entities.

Sources

  1. securityaffairs.comhttps://securityaffairs.com/156090/cyber-crime/westpole-ransomware-attack.html
  2. cybersecitalia.ithttps://www.cybersecitalia.it/westpole-lacn-conferma-lockbit-dietro-lattacco-che-sta-bloccando-la-pa/28236/
  3. cubic-lighthouse.comhttps://cubic-lighthouse.com/2023/12/22/lockbit-ransomware-disrupts-public-digital-services-in-italy/news/
  4. tg24.sky.ithttps://tg24.sky.it/cronaca/2023/12/18/pa-digitale-attacco-hacker-westpole
  5. securityinfo.ithttps://www.securityinfo.it/2023/12/13/attacco-ransomware-a-westpole-offline-i-servizi-di-pa-digitale/

Related incidents

RansomwareContained

Indonesia PDNS Brain Cipher (LockBit 3.0) ransomware (2024)

Brain Cipher — a Lockbit 3.0–derived ransomware — encrypted Indonesia's Temporary National Data Center (PDNS), paralysing 282 government digital services from immigration to passport issuance for weeks. Attackers demanded $8M; the government refused. Brain Cipher subsequently released a decryptor free of charge, with an apology.

Victim
Pusat Data Nasional Sementara (PDNS), Indonesia
RansomwareContained

ICBC Financial Services LockBit ransomware (2023)

LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.

Victim
ICBC Financial Services (U.S. broker-dealer of Industrial and Commercial Bank of China)
Loss
$9.00B
RansomwareContained

Xplain Play ransomware and Swiss federal documents leak (2023)

Play ransomware breached Swiss IT services provider Xplain, exfiltrating 1.3 million files. Approximately 65,000 documents belonging to the Swiss Federal Administration — including classified content, personal data, and readable passwords — were published on Play's dark-web leak site in June 2023.

Victim
Xplain (Swiss IT services provider to the Federal Administration)
Records
1.3M