Cyber attacks and data breaches in review: March 2021

In March, we found 151 publicly disclosed data breaches and cyber attacks, making it by far the leakiest month we’ve recorded.

By comparison, there were just 82 incidents in January and 118 in February.

You can find the full list of incidents on our sister site, but as always, this blog delves into some of the notable incidents affecting European organisations.


Norway parliament hacked ahead of election

Six months before Norway’s general election, its parliament has been infiltrated by criminal hackers.

The attack is linked to a vulnerability in Microsoft Exchange software, which has been causing havoc across the globe.

Microsoft disclosed four zero-day bugs earlier in March – along with patches to fix them – but organisations that failed to apply updates promptly left their systems exposed.

The zero-days in question affect on-premise Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019.

When criminal hackers use these vulnerabilities in an attack chain, they can deploy malware, conduct remote code execution and server hijacking, create backdoors and access sensitive information.

When the patches were released, there had been a handful of intrusions. However, disclosing the vulnerabilities brought unwanted attention, and attacks soon spiralled.

Researchers at ESAT reported that at least ten groups were taking advantage of the bugs. They were primarily targeted governments, academic institutions and non-government organisations in several sectors, including agriculture, biotechnology, aerospace, defence, utilities and pharmaceutical.

“This is an attack on our democracy,” parliament President Tone Wilhelmsen Troeen said. “The severity is underscored by the fact that this is happening in the run-up to a parliamentary election and as parliament is handling a pandemic.”


Dutch car garage service RDC hacked

The personal data of as many as 7.3 million Dutch residents has been put up for sale on the dark web following a data breach at RDC.

The information includes home addresses, telephone numbers, email addresses, licence plates and dates of birth, according to researchers at NOS.

It’s not clear how RDC, which provides IT services to car garages in the Netherlands, was infiltrated. However, some of the data was supplied to the organisation via the Dutch national road transport agency.

“For criminals, this is super useful information,” John Fokker, security researcher at McAfee, told NOS. “Gangs of criminals who get their hands on this data can now see with one click of a button where expensive cars are.”

Fokker also noted that the information can be used for online scams. Attackers can match an individual with the car they drive, allowing them to create tailored attacks imitating, for example, speeding fines.


Ticketcounter refuses to negotiate with criminals

We stay in the Netherlands for our final story, which involves a data breach at the e-ticketing company Ticketcounter.

The breach occurred after the organisation copied a database into a Microsoft Azure server to test an anonymization process that replaces personal data with fake details.

This is standard practice if you want to use the data for analysis and it’s not necessary to know who it belongs to. Doing so gives you more freedom with the data and mitigates the risk of a loss of confidentiality.

But as CEO Sjoerd Bakker explained, the database wasn’t properly secured, allowing a cyber criminal to access and download the information.

As many as 1.9 million unique email addresses were compromised in the attack. Full names, email addresses, phone numbers, IP addresses and hashed passwords were also compromised.

The attacker then contacted Ticketcounter and demanded seven bitcoins (about €350,000) to return the data, or they would leak it online and contact the organisation’s partners to alert them of the breach.

However, Ticketcounter refused to negotiate – and had already contacted its clients to inform them of the breach.

This was the perfect response, because even if Ticketcounter had paid up, the data was still breached (that is to say, an unauthorised person accessed it) and the organisation was required to disclose it.

More to the point, there is no guarantee that the attacker would keep their word and delete the stolen information. There is therefore nothing to be gained from paying up, and the breached organisation would be better off spending that money on incident response.

That may include notifying those affected, offering services to help them understand and manage the threat, or bolstering its defences to prevent something like this happening again.


Stay up to date with cyber security news

Are you looking for regular updates on the latest cyber attacks and data breaches?

Subscribe to our Weekly Round-up to learn what’s happening in the cyber security industry and receive tips on how to protect your organisation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.