This month has been a mixed bag in terms of cyber security incidents. On the one hand, the 630 million breached records represents a massive drop-off from last month and brings the monthly average back down to about the same level as 2019.
However, that total comes from a whopping 106 incidents, which makes February the second leakiest month that we’ve ever recorded.
As always, we use this blog to take a look at some of the most notable incidents from across Europe.
Cyber attack reveals data retention breach at Dutch airline
The low-cost airline Transavia has confirmed that it suffered a cyber attack affecting up to 80,000 passengers.
The breached data includes passengers’ full names, date of birth, luggage reservations and whether or not they required assistance at the airport.
That all sounds about standard, right? It’s a typical breach that shows how every organisation is vulnerable to a cyber attack even if you think you don’t store any sensitive information.
Except there are two things that make this incident notable. First is that the attackers didn’t break into Transavia’s databases; the information was sitting in an employee’s email inbox.
Second, the information dates back over five years – relating to anyone who flew with one of the airline’s subsidiaries between 21 January and 31 January 2015.
Why was this information sitting in an employee’s inbox when the GDPR (General Data Protection Regulation) has strict rules on data retention?
Specifically, it states that organisations can only hold on to personal information if there’s a clear reason to do so; once they no longer need the information, it must be disposed of.
This incident is a perfect example of why that rule is in place. Transavia may or may not have had a legitimate reason to hold on to the data, but either way, it needed to be more careful about how it protected it.
The Dutch Data Protection Authority will no doubt take a closer look at this when investigating the breach, and it could factor in the disciplinary action it takes.
Patient records from Northern Irish hospital found on the street
You might remember that last year a Cork man was accused of committing a data breach after telling the media that he’d found medical records lying on the street.
Well, it seems that the north of the border is more grateful for good Samaritans, after a man and his daughter handed over discarded medical records to the Portadown Times.
The records contained detailed information on 18 patients at Craigavon Area Hospital, including their name, age, social history and reason for admission.
The man who found the documents said: “These are very personal details and should never have left the hospital never mind end up at the side of a road.
“I hope these patients and their families or carers will be informed of this confidentiality breach.”
The hospital acknowledged its error and said that the incident had been reported to the ICO (Information Commissioner’s Office).
Plastic surgery leaks patient photos on unsecured database
NextMotion, a French tech firm that provides imagery services to plastic surgeries, has exposed about 900,000 documents after storing them in a misconfigured Amazon Web Services S3 bucket.
The organisation offers before and after images of patients to show them the effects of cosmetic surgery. In doing so, it collects vast amounts of personal data on subjects – including the very fact that they’ve had surgery, something that many people are reluctant to admit.
The database includes videos of 360-degree body and face scans and patient photos that, in some cases, captured their genitals or breasts.
NextMotion’s CEO, Dr Emmanuel Elard, has apologised for the incident but insisted that the breached records didn’t include identifiers such as names, contact details or dates of birth.
However, the vpnMentor researchers who discovered the breach noted that the exposed information included invoices, which contain the patients’ names and other sensitive personal details.
NextMotion’s inability – or unwillingness – to disclose the extent of the breach may well come back to haunt it, as it raises suspicion about how vigilant it is when it comes to GDPR compliance.
After all, a leaked database doesn’t necessarily undermine the organisation’s data protection practices. It could have been doing everything in its power to stay secure but didn’t foresee an employee making a mistake when configuring the database.
Not owning up to the breach, however, is a lot more concerning, as it points to a systemic failure to understand where the organisation stores sensitive information.
As with so many incidents, the moral of the story is that the way you respond to an incident is just as important as the breach itself. Don’t downplay the damage simply for the sake of it; in many cases, it only invites further scrutiny.