Welcome to our latest monthly review of cyber attacks and data breaches. In November 2022, we found 95 publicly disclosed security incidents, accounting for 32 million breached records.
As ever, you can find the full list of security incidents on our sister site. In this blog, we look at the cyber security headlines across Europe.
Vodafone Italy discloses security breach
Vodafone is facing yet another security headache after its Italian subsidiary confirmed that it had suffered a cyber attack.
In a notice to customers, the telecoms firm said that the incident, which took place in September, resulted in the compromise of sensitive personal data.
The exposed information includes customers’ contact details, subscription details and identity documents. Fortunately, Vodafone said that neither account passwords nor network traffic were breached.
However, it is urging those affected to be careful about potential communications supposedly from the organisation. Scammers are likely to use the stolen information in phishing scams designed to capture people’s login details or financial data.
They might even use the reports of the cyber attack they perpetrated as a pretext for their scam.
Cyber criminals often double-up their efforts by sending bogus emails seemingly from the organisation that was breached, encouraging recipients to change their passwords in order to protect their accounts.
In reality, individuals are redirected to a mock-up of the victim’s website where they are instructed to hand over their login details.
This incident follows a cyber attack against Vodafone Portugal in February 2022, in which significant portions of its customer data services were knocked offline.
Meanwhile, the telecom giant has been the repeat target of GDPR (General Data Protection Regulation) investigations related to its poor data protection and privacy practices.
Vodafone’s Spanish subsidiary was fined €8.15 million last year for repeated GDPR violations, with the fine incorporating 191 claims regarding the firm.
Orange confirms data breach following ransomware attack
Meanwhile, another European telecom giant hit the headlines in November. This time it was the French telecom firm Orange, which announced that it suffered a data breach after one of its suppliers suffered a ransomware attack.
In a statement sent to customers notifying them of the incident, Orange warned that the victim – a debt collection service – had access to information relating to customer management activity.
Orange said that a “limited number of clients” were affected by the incident, although the nature of the attack means that the debt collection service will have been left dealing with disruption long after its systems were compromised.
The exposed data includes people’s names, postal addresses, telephone numbers, national identity numbers, dates of birth and nationalities.
Orange assured customers that: “As soon as the provider became aware of the incident, a plan was put in place to limit its scope, and access to our systems was immediately cut off.”
Spain’s National Institute of Cybersecurity has also sent out an alert “of high importance” regarding the incident.
A translation of its warning states: “If you have received the communique from the affected company, we advice you to be especially cautious over the next few months with emails, messages or calls from which you cannot confirm their origin or sender, especially messages requesting bank information or credentials. These messages could be fraudulent.
“In case your bank details were affected by the incident, check your latest bank statements. If you detect any unknown purchases, contact your bank to take the appropriate measures.”
Dutch Land Registry learns that sensitive data was exposed for a month
The Dutch Land Registry disclosed a data breach in November that left protected residential addresses exposed for almost a month.
According to the organisation, which is responsible for tracking the owners of real estate throughout the Netherlands, the error occurred during a system update on 18 September, and meant that people whose information was supposed to kept hidden was made public.
This includes people who requested that their information be hidden because they are “threatened” – whether that’s because they are deemed at-risk by the national counter-terrorism coordinator or are currently under personal protection.
The Land Registry, which didn’t notice the mistake until 11 October, described the error as “annoying” in an email to victims. Surely those whose data privacy and potential safety has been breached would consider it a little more serious than that.
Are you prepared for a cyber attack?
If you’re facing a cyber security disaster, IT Governance is here to help.
Our Emergency Cyber Incident Response Service provides the support you need to deal with the incident, as our experts guide you through the recovery process.
They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.