“It cannot be ruled out that the serious attack suffered may have involved personal and particular data in the ownership of the GSE in any capacity”. This was stated by the Energy Services Manager (GSE), after the hacker attack suffered in the night between Sunday 28 and Monday 29 August, on their information systems with “a very new generation of ransomware”. The attackers were found to have affected the network, client, application infrastructure, file server and e-mail systems. The GSE, following the attack, “promptly insulated its infrastructures, deactivating all telematic services, workstations and e-mail. All the analysis activities and the necessary checks to restore the full operation of the information services as soon as possible “. The GSE presented a “report of the attack to the Postal Police on the same date of 29 August and the preliminary notification was also made to the Guarantor for the protection of personal data on 30 August”. The necessary actions to deactivate the machines and the precautionary shutdown of each system, emphasizes the Energy Services Manager, “still do not make it possible today to understand with reasonable certainty the exact extent and extent of the event on personal data referred to by the GSE is the owner, both as regards the operators, for the activities envisaged by the reference regulatory framework, and as regards the data of the human resources who provide service in the company. However, it cannot be excluded that the serious attack suffered may have involved data personal and particular in the ownership of the GSE for any reason “. GSE also informs “all interested parties that there may be a risk that the personal passwords used to access GSE systems are among the possible stolen data”. In this regard, the company explains “that as soon as the systems are reactivated, the GSE will provide, with a specific communication, to have the mandatory password change made to access its services”. Furthermore, underlines the GSE, “until different communication is also made to restart the e-mail, which will be given publicly, we invite you to pay the utmost attention to the e-mails that in these days seem to be traced back to the GSE and which could instead constitute attempts to Finally, the improper publication of personal data is not excluded: in the latter case, the interested parties are reminded, who are aware of the unauthorized dissemination of their data, that they may, for their part, be exercised the right to cancellation pursuant to art. 17 of the Gdpr, without prejudice to any further protection actions by the GSE “.