61 GB of French hospital data stolen and published

Plus: German military leaks over 6,000 video meetings

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Data stolen in Simone Veil cyber attack – 61 GB allegedly published by LockBit

In April, the French hospital Simone Veil, based in Cannes, announced that it was the victim of a cyber attack. The ransomware group LockBit has now claimed the attack and published data from the hospital.

The hospital has confirmed that the data is real.

Data breached: 61 GB.

Bundeswehr leaked more than 6,000 video meetings

The German military, the Bundeswehr, leaked more than 6,000 meetings, according to research by Zeit Online. Many of those meetings were classified as ‘confidential’.

Apparently, unauthorised users could look at metadata for months, including times, participants and topics of Bundeswehr meetings hosted on Cisco’s Webex.

The Bundeswehr said it fixed the bug within 24 hours of becoming aware of it.

Data breached: >6,000 meetings.


Publicly disclosed data breaches and cyber attacks in Europe: full list

This week, we found 72,012 records known to be compromised in Europe, and 7 European organisations suffering a newly disclosed incident. All of them are known to have had data exfiltrated, exposed or otherwise breached.

We also found 1 European organisation providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
Hôpital de Cannes – Simone Veil
Source 1; source 2; source 3
(Update)
HealthcareFranceYes61 GB
Bundeswehr
Source
(New)
DefenceGermanyYes>6,000
States of Guernsey
Source
(New)
PublicUKYes>5,000
Edenred
Source
(New)
FinanceBelgiumYes10
Magnet+
Source
(New)
TelecomsIrelandYesUnknown
Mellitah Oil and Gas B.V
Source
(New)
EnergyItalyYesUnknown
Bitvavo
Source
(New)
CryptoNetherlandsYesUnknown
University of Alicante
Source
(New)
EducationSpainYesUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

noyb files complaint against OpenAI for not correcting inaccurate information

The non-profit noyb filed a complaint against OpenAI with the Austrian data watchdog for failing to meet a key GDPR requirement: that personal data is accurate, and that data subjects have full access to that data along with source information.

noyb says: “OpenAI openly admits that it is unable to correct incorrect information on ChatGPT. Furthermore, the company cannot say where the data comes from or what data ChatGPT stores about individual people. The company is well aware of this problem, but doesn’t seem to care.”

ICO publishes its response to regulating AI consultation

With the ICO (Information Commissioner’s Office) consultation on “Regulating AI: the ICO’s strategic approach – a response to the DSIT Secretary of State” now closed, the UK regulator has published its response.


Enforcement

New UK laws for IoT device security

The UK government has published new laws, mandating Internet-connected smart devices to meet a minimum security standard. Most notably, it’s banning bad default passwords on IoT (Internet of Things) devices, becoming the first country to do so.

Group CEO Alan Calder commented:

It’ll certainly improve the long-term robustness of the UK’s cyber security infrastructure – but that’ll only be gradual, because it only applies to new devices.

The laws don’t apply retrospectively to the millions of inadequately protected smart devices already in service – and which are replaced over decades rather than months.

So, there won’t be any immediate benefit in terms of reduction in data breaches – progress on that front will continue to depend on better-educated consumers!

Three new GDPR fines

The Czech supervisory authority issued a €13.9 million fine for violating Articles 6 and 13 of the EU GDPR. Meanwhile, the Greek authority issued the Hellenic Post a fine of 1% of the most recent global annual turnover for violating Articles 5(1)(f) and 32.

Under the UK GDPR, the ICO issued a £7,500 fine under to Central Young Men’s Christian Association for failing to use Bcc, thereby revealing HIV status.


Other news

Security research team finds nearly 3 million Docker Hub repositories host malicious content

JFrog and Docker partnered for security research, finding that nearly 3 million Docker Hub repositories – almost 20% of all public repositories – host malicious content.

ICO and Ofcom publish statement on collaboration on regulating online services

Two UK regulators, the ICO and Ofcom (the UK’s communications regulator) have published a joint statement on “the regulation of online services where online safety and data protection intersect” to ensure “a coherent approach to regulation”.


New guidance

New NCSC guidance: AMS (Advanced Mobile Solutions)

The UK NCSC (National Cyber Security Centre) has published new guidance, called ‘AMS’ or ‘Advanced Mobile Solutions’. This risk model, along with “a set of architecture patterns and associated technologies” allows “high-threat organisations to stay connected ‘on the go’.”


Recently published reports


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.