Notice pursuant to Article 34 of Regulation (EU) 2016/679

Sofinter S.p.A. publishes this notice to inform all its stakeholders — employees, former employees, collaborators, customers, suppliers and partners — of a cybersecurity incident that occurred between 20 and 24 January 2026, which constituted a personal data breach within the meaning of Regulation (EU) 2016/679 (the “GDPR”).

What happened

Between 20 and 24 January 2026, malicious external actors carried out a targeted cyberattack against Sofinter’s IT infrastructure. The attack exploited compromised access credentials to penetrate the systems and resulted in: (a) the temporary encryption of the VMware ESXi/vSphere virtualisation infrastructure at the Gallarate site; (b) the exfiltration (unlawful copying) of a significant volume of data stored on corporate servers.

On 6 February 2026, Sofinter learned that the criminal group responsible (PayoutsKing) had published an announcement on the dark web offering the stolen data for sale.

The incident has been notified to the Italian Data Protection Authority (Garante per la protezione dei dati personali) pursuant to Article 33 GDPR.

What data was involved

The forensic analysis conducted by a specialized company established that the personal data potentially affected includes: personal and contact details; copies of identity documents (national identity cards, passports, tax code documents); employment and payroll data, including banking details (IBAN); payment data; health data; data relating to trade union membership and political opinions. Not all individuals are affected by all categories of data; the nature and extent of the exfiltration depends on what data was specifically stored in the systems for each individual.

What we have done

Sofinter implemented a comprehensive incident response plan, including: full restoration of the IT infrastructure (completed 28 January 2026); immediate blocking of compromised credentials and forced password reset for all domain users; strengthening of cybersecurity systems (multi-factor authentication, privileged access management, system hardening, immutable backup solutions, cloud replication); continuous dark web monitoring; mandatory notification to ACN/CSIRT-Italy pursuant to the NIS2 framework (20 February 2026); filing of a criminal complaint with the Carabinieri (9 February 2026); direct communication to identified individuals via email; appointment of a specialist forensic firm (FTI Consulting) for incident analysis.

What you can do if you may be affected

We recommend that you pay close attention to any unexpected communications — by email, SMS, or phone — that request personal data, credentials, or payments, and to monitor your online and banking accounts for any unusual activity. If you believe you have suffered any damage or have doubts about your specific situation, you may contact us at the address provided below.

Your rights

You may exercise the rights provided for in Articles 15–22 of the GDPR (including access, rectification, and erasure of data) by writing to Sofinter S.p.A. at the addresses indicated below or by consulting the privacy section on the website www.sofinter.it. You also have the right to lodge a complaint with the Italian Data Protection Authority (www.gpdp.it).

Contact

For any questions relating to this notice or the exercise of your rights:

● Sofinter S.p.A. — Via Conservatorio 17, 20122 Milan (MI), Italy

● Certified email (PEC): sofinter@legalmail.it ● Email: cybersecurity@sofinter.it

● Website: www.sofinter.it

We apologise for any inconvenience and for any concern this incident may have caused. We remain committed to full transparency and to protecting the personal data of all those who interact with us.

Sofinter S.p.A.