According to our research, the three biggest European data breaches to be publicly disclosed in October were:
- Motel One: 24,449,137 breached records
- Shadow: 533,624 breached records
- An unidentified Limerick-based IT services company: 512,000 breached records
1. Motel One suffers ALPHV/BlackCat ransomware attack
The German hotel group Motel One – one of the biggest hotel chains in Europe – has revealed that it was the victim of a ransomware attack. According to a brief statement on its website, “address data from costumers was accessed – including 150 credit card details”.
Those affected have been informed.
Motel One’s statement came just days after the ALPHV/BlackCat ransomware gang listed the hotel group on its dark web site, where it stated that it had accessed significantly more data than Motel One acknowledges.
According to Bleeping Computer, ALPHV claims to have exfiltrated 6 terabytes of data from Motel One, comprising 24,449,137 files.
The stolen data, ALPHV says, “includes PDF & RTF booking confirmations for the past 3 years (5.5 TB) containing names, addresses, dates of reservation, payment method, and contact information. Additionally, there is a significant amount of [Motel One’s] customers’ credit card data and internal company documents, which undoubtedly hold sensitive information”.
BleepingComputer states that Motel One has not responded to its request for comment. The Motel One website still states that, thanks to “extensive measures”, the effects of the attack were “kept to a relative minimum”.
2. Shadow warns customers of data breach
The French Cloud computing services provider Shadow has warned its customers that criminal hackers may have accessed their personal information.
According to TechCrunch, Shadow’s CEO Eric Sèle emailed customers in early October, saying: “At the end of September, we were the victim of a social engineering attack targeting one of our employees. This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack.”
The attackers were able to access customers’ “full names, email addresses, dates of birth, billing addresses and credit card expiry dates”, although no passwords or sensitive banking data were compromised.
When TechCrunch examined a sample of 10,000 stolen data records from the criminal hacker who claimed responsibility for the attack, it was able to confirm that they corresponded with Shadow staff email addresses and that “many of the customer billing addresses correspond with private home addresses”.
It is not yet known whether France’s data protection supervisory authority, the CNIL, has been notified, as required by the GDPR (General Data Protection Regulation).
3. Unidentified Limerick-based IT services company
The Irish Independent reports that the personal data of thousands of motorists whose vehicles were towed on behalf of the gardaí have been exposed thanks to “a software error at a Limerick-based IT services firm, which is retained by tow-truck companies working for An Garda Síochána”.
In all, 512,000 documents, dating back to 2017, were compromised.
The newspaper reports that Gardaí were notified of the breach in August by the international cyber-security researcher Jeremiah Fowler, who discovered the information in an unprotected online database.
According to Fowler, the database contained “spreadsheets, vehicle registration information, driving licences and other sensitive data”.
He also claimed to be able to “access receipts with full debit card details, as well as drivers’ licences and incident summary reports”, and incident summary reports containing “names and details of drivers, witnesses and multiple Garda officers”.
Announcing that an investigation had been launched, a Garda spokesperson said:
“Under An Garda Síochána’s contract with individual towing companies, there are clear obligations on individual towing companies to protect any information supplied to them by An Garda Síochána including personal data,” the spokesperson said.
“This obligation also extends to situations where individual towing companies provide this information to a third party for storage purposes.”
The IT services company blamed a software update for the breach.
Are you prepared for a cyber attack?
If you’re facing a cyber security disaster, IT Governance is here to help.
Our Emergency Cyber Incident Response Service offers the necessary support to deal with the incident, as our experts guide you through the recovery process.
They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.