Italian tobacco associations estimate up to €250,000 in losses after hundreds of tobacco vending machines were the subject of a cyber-attack thought to be the work of anarchists.
The hack attack on the evening of 25th March targeted vending machines produced by the Italian company Laservideo. Internal documents show 12% of the firm’s machines were affected, with half of those dropping cigarette prices to €0.10 per pack.
The Italian Federation of Tobacconists (FIT) told TobaccoIntelligence between 500 and 1,000 machines were attacked in an episode that raises questions about the security of vending machines of all kinds.
Laservideo estimated that each machine affected lost about €250, though one experienced a loss of €2,300, while 36 others lost over €1,000 each.
Further losses were suffered through customers being unable to purchase tobacco products, though estimates are difficult to calculate.
Would-be customers were surprised to see an unusual greeting on machines’ monitors. Instead of steps for buying cigarettes, they were presented with an image featuring a group of grey figures resembling police and, in the centre, a man with a raised arm in red and a message reading, “Free Alfredo from 41bis”.
Anarchist Alfredo Cospito, jailed in 2012 for a non-fatal gun attack on a nuclear energy boss, is currently on hunger strike in 41-bis, a solitary confinement “hard prison” intended for Mafia leaders.
“As soon as our members notified us about the cyber attack, we sent notifications to our other members telling them to turn off their vending machines,” the FIT spokesperson said.
Another tobacconists association, Assotabaccai, told TobaccoIntelligence that as far as they knew this was the first time cigarette vending machines had been targeted in this way. “Some of our members were able to detect the cyber attack on their own, while others were informed about it by their customers and friends,” they said.
Laservideo clarified that the attacks did not target their servers. It appears that the hackers directly modified individual memory allocations on the distributor’s hard drives, specifically targeting machines in individual retail points.
While the attack is still being investigated, and Laservideo has stated that it is not legally liable for the incident, it has offered compensation to affected tobacconists, covering the price paid by them for lost goods rather than what consumers would have paid under normal circumstances. It is currently unclear whether customs duties will have to be paid on the lost product and, if so, who will be responsible.
– Dario Sabaghi TobaccoIntelligence contributing writer