Welcome to our May 2023 review of cyber attacks and data breaches, where we review the biggest security incidents across Europe.
The biggest story of the month was the mammoth €1.2 billion fine given to Facebook’s parent company, Meta, for a series of GDPR (General Data Protection Regulation) breaches.
It’s the largest penalty ever given for a data protection violation and was the result of a decade-long investigation from Ireland’s Data Protection Commission.
But away from regulatory news, there were several significant cyber security developments. Research from our sister site found 98 publicly disclosed data breaches in May, which resulted in 98,226,877 million breached records.
That includes a historic data breach at the Italian eyewear conglomerate Luxottica and an investigation in the Netherlands regarding a potential data breach at Tesla, while Portugal has re-ignited concerns over Huawei’s data privacy practices.
Luxottica confirms massive 2021 data breach
Last November, rumours began to circulate that Luxottica, one of the world’s largest eyewear companies, had been targeted in a cyber attack.
They began when a criminal hacker attempted to sell what he claimed to be a database containing 300 million records of personal information related to Luxottica customers.
According to the seller, the database contained customers’ full names, email addresses, home addresses and dates of birth.
The information was offered for a private sale on the now-defunct hacking forum Breached, and it was later leaked in its entirety for free.
Luxottica – which owns popular brands including Ray-Ban, Oakley and Costa and makes sunglasses and prescription frames for the likes of Giorgio Armani, Versace and Dolce and Gabbana – has suffered several security incidents in recent years.
In August 2020, it was embroiled in a data breach affecting more than 800,000 EyeMed and Lenscrafters patients. A month later, a ransomware attack shut down the company’s operations in Italy and China.
It initially seemed as though the latest batch of stolen data might have came from one or both of those incidents.
However, cyber security researcher Andrea Draghetti discovered that the information was exfiltrated on 16 Match 2021, and concluded that the data might likely came from a separate, previously undisclosed data breach.
His research also revealed that the stolen data contains 305 lines of data, including 74.4 million unique email addresses and 2.6 million unique domain email addresses.
Luxottica says that it is investigating the incident, and in a statement added: ““We immediately reported the incident to the FBI and the Italian Police.
The owner of the website where the data was posted has been arrested by the FBI, the website was shut down and the investigation is ongoing. “The Italian data protection authority has also been notified and we are considering other notification obligations.
“From our investigation, which is still going on, we know so far that the data primarily consists of customer contact details including names, addresses, phone numbers, emails and dates of birth. The data does not include individuals’ financial information, social security numbers, login or password data or other information that would compromise the safety of our customers.
“EssilorLuxottica remains confident that its systems were not breached and its network remains secure.”
Tesla under scrutiny for alleged data breach
A whistleblower at Tesla has leaked 100 gigabytes of data to the German media outlet Handelsblatt that have sparked serious concerns over the car manufacturer’s safety practices and data protection policies.
The leaked data includes customer complaints from across the US, Europe and Asia about Tesla’s Full Self-Driving features. Drivers expressed their concern over self-acceleration and breaking issues, with 139 reports of “unintentional emergency braking” and 383 reports of “phantom stops”.
It seems as though the whistleblower was compelled to share the data after learning about Tesla’s approach to these complaints. According to a note from Handelsbatt’s editor-in-chief, Sebastian Matthes, Tesla did not respond to complaints but instead “demanded that the data be deleted and spoke of data theft”.
However, in sharing these complaints, the whistleblower has created another problem, with personal data now exposed. And it’s not only customer data that’s affected.
The leaked data includes the names of 100,000 current and former employees, including the Social Security number of Tesla CEO Elon Musk. Private email addresses, phone numbers, employee salaries and customers’ bank details are all thought to be affected as well.
The data protection authority in Brandenburg, which is home of Tesla’s “Gigafactory”, described the data leak as “massive”.
“I can’t remember such a scale,” Data Protection Officer Dagmar Hartge said. She added that the case had been handed to the data protection authority in the Netherlands, where Tesla’s European headquarters are located.
Portugal set to ban Huawei for 5G network
The Portuguese government has announced that it’s planning to ban Huawei from providing equipment for the country’s 5G network.
5G is the latest generation of mobile broadband, promising to deliver download and browsing speeds up to 20 times those of current networks. The technology is being slowly rolled out across the globe, but the major enhancements mean that progress has been years in the making.
Huawei, a Chinese-based tech manufacturing company, has been one of the leading suppliers for 5G technology. However, many governments have expressed concern about the organisation’s ties to the Chinese government.
They fear that Huawei’s products could siphon off information and hand it over to the government. Alternatively, they could install vulnerabilities that enable state-sponsored threat actors to disrupt communications or hack smart technology.
Zhao Houlin, the secretary-general of the International Telecommunication Union, said there is no evidence that the Chinese government could exploit Huawei to gather information, and suggested the US created the suspicion to benefit its own political aims.
For a while, that looked as though it might be the end of the matter. Huawei signed 40 commercial 5G contracts with carriers across the globe, with only Japan, Australia and the US refusing its products and services for government use.
However, suspicions surrounding Huawei have continued, with France, Sweden, Romania, Belgium and Denmark amongst those that have banned Huawei equipment or have required its operators to discontinue its kit.
Portugal has become the latest country set to ban Huawei equipment, according to a document published by the country’s cyber security council.
It contains plans to exclude or apply restrictions on the use of equipment deemed high risk in its 5G network, but does not have any immediate effect because it would need to be approved by the cabinet.
Nonetheless, it appears as though restrictions will almost certainly be forthcoming. It’s a major blow for Huawei’s European ambitions, given that Portugal is one of the biggest recipients of Chinese investment per capita and it was one of a handful of countries that pushed back against calls to ban its products.
Are you prepared for a cyber attack?
If you’re facing a cyber security disaster, IT Governance is here to help.
Our Emergency Cyber Incident Response Service offers the necessary support to deal with the incident, as our experts guide you through the recovery process.
They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.