Italian company Hacking Team – which has had its systems breached, revealing that despite its denials, it sold spy tools to oppressive regimes in Sudan, Bahrain and Saudi Arabia – received over €1m in public funding from the Italian northern region of Lombardy, according to a privacy group.

UK-based Privacy International reported in 2014 that the Milan-based company, which has been offering its intrusive technology to governments for almost a decade, received €1.5m from two venture capital funds originating from the region of Lombardy in 2007.

One of the two funds, Finlombarda Gestioni SGR S.p.a., has a single shareholder (Finlombarda S.p.a.) whose only shareholder is the region of Lombardy. The Finlombarda website shows Hacking Team listed as one of the beneficiaries of the fund.

"The apparent provision of public money into the growth of Hacking Team is in conflict with the public financial services agency's attempts to codify ethics as a core internal policy," Privacy International said in its 2014 report.

"We are therefore calling for an urgent clarification by both the Italian government and the Region of Lombardy into this, and for their response to the appropriateness of investing public money in technologies that can be used to facilitate human rights abuses."

Since January 2015, Hacking Team's product has been subject to export restrictions from the Italian government, which means the export authority will have to assess the company's products before they get sold.

The leak

Unknown hackers dumped a torrent file with 400GB of Hacking Team's internal documents, emails and source code.

Here is the full list of countries reportedly using Hacking Team's tools according to the leak:

Egypt, Ethiopia, Morocco, Nigeria, Sudan, Chile, Colombia, Ecuador, Honduras, Mexico, Panama, United States, Azerbaijan, Kazakhstan, Malaysia, Mongolia, Singapore, South Korea, Thailand, Uzbekistan, Vietnam, Australia, Cyprus, Czech Republic, Germany, Hungary, Italy, Luxembourg, Poland, Russia, Spain, Switzerland, Bahrain, Oman, Saudi Arabia, United Arab Emirates

The total value of the invoices, according to CSO writer Steve Ragan, is €4,324,350.

Sudan, which is subject to EU restrictive measures that include an arms embargo, received surveillance system from the company, despite its denials. The sale of the cyberweapons to the country is one of the most controversial revelations from the data dump, as the United Nations has been investigating a report by Citizen Lab that Hacking Team's tools were being used there.

Hacking Team's primary product, Remote Control System (RCS), is sold as a system that "provide[s] effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities".