Cyber Attacks and Data Breaches in Review: April 2023

Welcome to our April 2023 review of cyber attacks and data breaches, where we review the biggest security incidents across Europe.

Research from our sister site found 120 publicly disclosed security incidents during the month, which resulted in 4.3 million breached records.

That includes a serious leak of military data related to the invasion of Ukraine, a data breach at two European subsidiaries of Hyundai and an update on a “despicable” data breach from 2020.


Governments weigh in ‘the most serious intelligence leak in a decade’

The US government has been one of Ukraine’s biggest allies following Russia’s invasion last year, but it recently committed a major security blunder that has undone at least some of its good work.

Dozens of classified Defense Department documents were published online, revealing details of the US espionage in Russia and elsewhere – including spying activity on Volodymyr Zelensky.

The documents also include assessments of Ukraine’s combat power, with one document suggesting that the Ukrainian army isn’t as well supplied or organised as many people have reported.

Although the data leak doesn’t include sensitive personal data, it’s nonetheless a major own goal for US government, undermining its security efforts and its reputation.

The Economic described it as “America’s most serious intelligence leak in a decade”, while the Italian newspaper Repubblica believes that further leaks could emerge.

According to the documents, which first appeared online in March, “Ukraine is not able to perform as well on the battlefield against Russia as [the press] has spent months celebrating”.

Documents show that there are “enduring Ukrainian deficiencies in training and munitions supplies” which, they suggested, “probably will strain progress and exacerbate casualties during the offensive.”

Speaking to Financial Times, one European official said that the revelations detailed in the leak are not just bad news for Ukraine but for “everyone.”

They added: “It’s bad news for the Ukrainians, it’s bad news for the Americans because everyone sees how they operate, and it’s bad news for the allies more generally because we see that the Ukrainians are running out of ammunition, which is not the best message you want in the air.”

Curiously, there has been some speculation about the authenticity of the leaked documents, with Le Figaro suggesting that they appeared “sometimes altered”. However, Economist editor Shashank Joshi believes that the US government’s response to the leak “all but confirms [that the documents] are authentic”.


Hyundai data breach exposes car owners’ personal details

Last month, Hyundai disclosed a data breach in which Italian and French customers’ personal data was stolen.

According to multiple reports on Twitter and a sample of the notice shared by cyber security researcher Troy Hunt, the breached data includes email addresses, physical addresses, telephone numbers and vehicle registration numbers.

Hyundai emphasised, however, that neither financial records nor identification numbers were compromised in the attack.

The South Korean car giant said that it had brought in IT experts to help control and respond to the breach. Its systems were taken offline until additional security measures were implemented, while customers have been warned to look out for scam emails.

A statement issued by Hyundai Italy and France read (via machine translation): “Although there is no evidence that the data concerned have been used for fraudulent purposes, out of extreme caution, we invite you to pay particular attention and to verify any contact attempt via e-mail, mail and/or text message that may appear to come from Hyundai Italia or by other entities of the Hyundai Group.”

It’s unclear how many people have been affected by this incident, or how long the network intrusion lasted. However, it’s believed that it was only customers in Italy and France that were impacted, while drivers elsewhere remain safe.


Former CEO of Finnish therapy clinic jailed for data privacy breach

Three years ago, the therapy clinic Vastaamo hit the headlines after it exposed patients’ personal details and notes about issues that had been discussed in therapy sessions.

The cyber criminal, which one reporter described as “despicable”, demanded a €450,000 ransom for the records – which included psychotherapy notes from 40,000 people, including children.

Vastaamo, which declared itself bankrupt as a result of the scandal, later learned that it had first been breached in November 2018 and again in mid-March 2019.

Things got worse when it was revealed that Ville Tapio, then-CEO of the firm, had known about the breach in 2019 but didn’t report it to the authorities or other members of the board.

Unsurprisingly, Tapio was fired, but that wasn’t the end of the matter. In April 2023, he was given a three-month suspended jail sentence for his negligent actions.

The Helsinki District Court said that the severity of the crime, plus the length of time for which the data was exposed, meant that a prison sentence was warranted. However, the court acknowledged that Tapio had no previous criminal record and agreed to give him a suspended sentence.

You might think that Tapio would have been extremely grateful for the court’s lenience. His failure to report the breach was a clear violation of data protection law, and the highly sensitive nature of the incident put breached ethical standards.

Moreover, in refusing to inform other members of the board, he compromised other senior employees’ ability to respond appropriately. The organisation couldn’t, for instance, implement security measures to prevent similar incidents occurring or take necessary actions to protect affected individuals.

A similar incident at Uber, in which the organisation concealed a data breach, resulted in a conviction of up to eight years for its chief security officer, Joe Sullivan.

Yet, in this case, Tapio has denied committing an offence and said that it was the IT team who were responsible for the breach.


Are you prepared for a cyber attack?

If you’re facing a cyber security disaster, IT Governance is here to help.

Our Emergency Cyber Incident Response Service offers the necessary support to deal with the incident, as our experts guide you through the recovery process.

They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.