Italy’s digital agency, AGID, has confirmed that a cyber-intrusion targeting hotel booking systems has exposed nearly 100,000 high-resolution scans of passports, national identity cards and other documents collected during guest check-in procedures. The theft, which occurred between June and August 2025, has so far been traced to at least ten hotels across the country, with authorities warning that the number could rise as the investigation progresses. The trove of personal data was advertised for sale on a dark-web forum by a user operating under the alias “mydocs”. AGID said it intercepted the illicit listing and verified that the samples appeared authentic. Because the documents can be used to create counterfeit IDs, open bank accounts or conduct social-engineering attacks, the agency cautioned that the breach poses significant financial and legal risks to affected travellers. Italy’s Data Protection Authority (GDDP) has opened a formal inquiry and urged all accommodation providers to check their systems and report any irregularities. Hotels must also notify guests in line with EU data-breach rules. The incident adds to a string of attacks on the hospitality industry worldwide, underscoring persistent cybersecurity weaknesses despite earlier high-profile breaches at chains such as Marriott and Caesars.