September may have fewer data breach incidents than the previous month, but overall there was a massive 363% increase, totalling 531,596,111 breached records.
This number includes a whopping 419 million data records exposed from an unknown server and brings the total breached record for the year so far to 10,331,579,614.
Plenty of those breaches occurred in Europe, so let’s delve into a few of them in more detail.
Dutch hospital uses medical records as a shopping list
A hospital in The Hague has been fined €460,000 after staff used sheets of paper containing medical information as a shopping list – and then left them in a shopping trolley.
The breached information includes patients’ names, dates of birth and health issues.
Thankfully, the person who discovered the list handed it to the police instead of misappropriating it. Health records are highly valued in the cyber crime industry, because they contain detailed information that can be used for identity theft, fraud, or personalised social engineering attacks such as spear phishing.
Marnix Beekmans, the hospital’s head of communications, expressed his shock at the breach and confirmed that an investigation is being launched.
This isn’t the first time the hospital has been involved in a data protection gaffe. In 2018, authorities found that dozens of employees had gained unauthorised access to the medical files of Dutch reality TV star Samantha de Jong, commonly known as ‘Barbie’.
French retail consultancy exposes millions of clients’ personal data
Paris-based consultancy firm Aliznet was embroiled in a data breach scandal this month after researchers at vpnMentor discovered an exposed database containing the personal data of 2.5 million people.
The database related to customers of Yves Rocher, a cosmetics company that hired Aliznet, and contained names, phone numbers, email addresses, dates of birth and postcodes.
Another 6 million customer orders were exposed in the incident, along with data on Yves Rocher’s store traffic, turnover and order volumes, as well as its intellectual property, including ingredients for more than 40,000 products.
The researchers explained that competitors “could use this information to create highly effective advertising campaigns targeted at Yves Rocher customers”, which could lead to the organisation losing customers and revenue.
And that’s not all. The vpnMentor team also found an API vulnerability in an application built by Aliznet for Yves Rocher employees that could allow crooks to access the organisation’s systems using legitimate login credentials. This would enable them to obtain more data on Yves Rocher or modify information in the database.
Irish government admits ransomware attack
Richard Bruton, Ireland’s Minister for Communications, Climate Action and the Environment, confirmed this month that his department was struck by a ransomware attack in 2018.
The department, which is responsible for protecting the country from cyber attacks, was crippled by an attack that encrypted sensitive files and demanded payment for them to be restored.
Bruton said the ransomware was successfully removed but didn’t discuss how long the attack lasted, what information was compromised and whether the government paid the ransom.
Experts always advise against meeting criminals’ demands, because there’s no guarantee that they’ll keep their word and it encourages them to launch more attacks.
However, many organisations, particularly those that provide essential services, feel compelled to take a chance on the ransom, as it’s potentially the quickest way of restoring their systems.
They therefore pay up but don’t admit it, because they know their decision was risky and detrimental to the wider community.