Data Breaches and Cyber Attacks in Europe in November 2023 – 111,218,696

IT Governance Europe’s research has discovered the following in November 2023:

 Publicly disclosed security incidentsRecords known to be breached
Europe139111,218,696
EU47109,110,696
Global470519,111,354

Considering the size of these figures, we’re publishing a special report, focusing on European data breaches and cyber attacks in November 2023.

To read our full global report for November 2023, click here.


Data Breach Dashboard

For a one-page overview of this special report’s key findings, check out our Data Breach Dashboard:

Please bear in mind that the above data only accounts for one month. We need to collect and analyse the data over a much longer period to be able to tell whether these findings are part of a longer-term pattern.

Nevertheless, we’d like to elaborate on some of these data points in this blog.


Data exfiltration

Europe’s performance on data exfiltration appears significantly better than the global benchmark from the same period. However, note that the percentage of incidents for which we don’t know whether data was exfiltrated was significantly higher for Europe (82%) than globally (44%).

In other words, when you combine the ‘yes’ and ‘unknown’ groups, you get 97% and 99% for Europe and globally respectively. So, while Europe’s performance is quite possibly better than the global benchmark, it may not be as good as the Data Breach Dashboard – which is inherently high-level – makes it appear.

Notification

Europe’s performance of 6% and 8% of notifying a regulator and affected individuals respectively are extremely weak compared to the global benchmarks of 32% and 31% respectively over the same period.

Considering the data breach reporting laws in Europe under, for example, the EU GDPR (General Data Protection Regulation) and its UK equivalent, the UK GDPR, this is alarming.

However, bear in mind that we often find incidents at a very early stage of detection – in most cases, either at the ‘breaking news’ stage in the press, or via listings on criminal gangs’ websites (particularly in the case of ransomware and denial-of-service attacks). It’s entirely possible that the breached organisations simply haven’t had a chance to complete their investigation or notify relevant stakeholders yet.

Supply chain (third-party) attacks

A huge percentage of this month’s incidents in Europe originated from a third party: 61%, compared to 48% globally (which, in absolute numbers, was already more than a ten-fold increase on the previous month).

It’s very possible that third-party breaches are becoming more common. They’re certainly a regular feature in the news – for example, MOVEit. Our research is also showing early signs of this trend, but we’ll need to monitor the data for a longer period before we can confirm or refute this.

It’s also important to remember that a comparatively small number of supply chain attacks can easily skew the number of incidents. It’s in their nature for one attack to compromise potentially hundreds or even thousands of organisations. As we’ll see below, as we dig deeper into the numbers, this may be what happened for Europe this month.

However, that doesn’t stop the numbers from being worrying. It can be challenging to secure your supply chain – organisations tend to simply trust that the products and services they use are safe. But where they aren’t, every organisation that uses them can be at risk, with potentially far-reaching consequences. That those consequences originate from just one source doesn’t make them any less serious.


Top 2 biggest breaches

1. SAP SE Bulgaria

Researchers from Aqua Nautilus have discovered Kubernetes Secrets – objects that contain small amounts of sensitive data, such as passwords, tokens or keys – relating to hundreds of organisations exposed to the Internet in public GitHub repositories.

Among those affected was SAP SE Bulgaria, a multinational software company headquartered in Germany. The researchers discovered credentials that provided access to 95,592,696 artefacts, as well as download permissions and some deploy operations.

The researchers notified SAP SE, which responded “in the most professional and efficient manner”, remediating the issue, launching an investigation and maintaining communications with Aqua Nautilus.

Data breached: 95,592,696 records/artefacts.

2. WeMystic

Portugal-based WeMystic, an online astrology and spiritual wellbeing website, exposed 34 GB of data to the Internet via an unsecured MongoDB database for at least five days.

According to Cybernews, one of the data sets contained 13.3 million records, including names, dates of birth, email addresses and IP addresses, as well as users’ genders and horoscope signs.

Data breached: 13.3 million user records.


Breached countries

This month, the following countries suffered at least one publicly disclosed incident: Austria (1), Bulgaria (1), Denmark (22), Estonia (2), France (1), Germany (1), Ireland (1), Italy (6), the Netherlands (3), Portugal (1), Romania (1), Slovenia (1), Spain (4), Sweden (1), Switzerland (1), Turkey (2) and the UK (89).

Top 3 (by number of incidents)

#CountryIncidents
1UK8964%
2Denmark2216%
3Italy64%

Earlier, we discussed how supply chain attacks can skew the statistics. This is definitely the case in the table above.

For instance, UK service provider CTS suffered a cyber incident this month that also affected around 80 of its clients, all of which are UK law firms.

Meanwhile, in Denmark, 22 energy organisations had been compromised in May 2023* in a coordinated attack – what is believed to be the largest attack carried out against Danish critical infrastructure to date. Admittedly, this isn’t a supply chain compromise, but it still shows how one source of hostile action can impact many organisations at once.

The six attacks carried out against Italian organisations were a mix of ransomware and denial-of-service attacks. The victims were Consorzio di Bonifica dell’Emilia Centrale, La Contabile Spa, Cold Car Spa, Art-Eco Srl, Trasporto Locale and Trentino Transport.

*We recorded these as November 2023 incidents because they were only reported in the public domain this month.

Top 3 (by number of records)

#CountryKnown number of records breached
1Bulgaria95,592,696
2Portugal13,300,000
3Turkey1,900,000

Perhaps oddly, none of the countries in the top 3 by number of publicly disclosed incidents also feature in the top 3 by known number of records breached – though it’s possible that they would be featured, had we been able to report the true number of records breached.

We hope to update our data in due course, for the benefit of our interim and annual reports, when more information is released to the public. And, for that matter, when the breached organisations themselves have a better idea of the extent of the damage done.

Both Bulgaria’s and Portugal’s totals come from just one publicly disclosed incident each: SAP SE Bulgaria and WeMystic, the details of which we discussed earlier.

Though Turkey suffered two publicly disclosed incidents this month, the 1.9 million records known to be breached come from just one incident: what SafetyDetectives believes to be an online platform or service used by Turkish healthcare providers or the Turkish Ministry of Health. The breached data related to Turkish vaccinations.

The other Turkish incident was a ransomware attack on Alvimedica, where data was exfiltrated, though we don’t know how much at the time of writing.


Top 3 most-breached sectors

By number of incidents

#SectorIncidents
1Legal8058%
2Energy/utilities2719%
3Technology96%

The top spot is held by legal this month, though note that all 80 incidents stem from the same attack on service provider CTS in the UK.

As for the second place, held by the energy and utilities sectors, 22 of the 27 incidents come from the coordinated attack on Danish energy organisations.

A further 2 of the 27 incidents we recorded in the energy and utilities sector are also linked – specifically, the automated controls systems of multiple district heating plants in Estonia were attacked. At the time of writing, we only know that more than one district heating plant was affected, so it’s more than possible that the total number of organisations affected is higher than two.

By number of records

#SectorKnown number of records breached
1Technology109,023,696
2Healthcare1,900,000
3Finance and insurance168,000

While the number of incidents suffered by the technology sector was relatively low – 6% of the European total for November – it accounted for the vast majority of records known to be breached: 109,023,696 (98% of the total).

As we discussed earlier, the 1.9 million records in healthcare stem from the vaccination data breach suffered by at least one Turkish healthcare provider or by the Turkish Ministry of Health, via a third-party provider.

The 168,000 in third place comes from just 1 incident: a ransomware attack on HSKSG, where LockBit claimed to have exfiltrated 168 GB of data.* The other incident this month, in the European finance and insurance sectors, was another ransomware attack, suffered by UK-based London & Zurich.

*We use the formula 1 MB = 1 record for incidents where we only know the file size of the data breached. Given that we can’t know the exact numbers, as it depends on the types of records included (for instance, pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.