The Week in Cyber Security and Data Privacy in Europe: 1 – 7 April 2024

17,501,908 known records breached in 22 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

Publicly disclosed data breaches and cyber attacks: in the spotlight

HIBP adds more than 4.4 million SurveyLama users’ information to its database

The data breach notification platform Have I Been Pwned has added more than 4.4 million people’s information to its database following a data breach at the survey rewards platform SurveyLama earlier this year.

According to the listing, the breach occurred on 1 February 2024, exposing information from 4,426,879 accounts, including names, dates of birth, addresses, phone numbers, email addresses, passwords and IP addresses.

Data breached: 4,426,879 accounts.

Allium UPI loyalty card unlawfully accessed

Allium UPI, an Estonian pharmacy and hospital goods supplier, has suffered a data breach affecting its loyalty card system.

Attackers downloaded customer data, including nearly 700,000 personal identification codes, more than 400,000 email addresses, nearly 60,000 home addresses and approximately 30,000 phone numbers relating to Apotheka, Apotheka Beauty and PetCity loyalty card users.

The Estonian Central Criminal Police, the Office of the Prosecutor General, the Data Protection Inspectorate and the Information System Authority said in a joint statement that they’re investigating the incident.

Data breached: 1,190,000 records.

Publicly disclosed data breaches and cyber attacks in Europe: full list

This week, we found 17,501,908 records known to be compromised in Europe, and 22 European organisations suffering a newly disclosed incident. 16 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.

We also found 1 European organisation providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
SurveyLama (Globe Media)
Source 1; source 2
Professional servicesFranceYes4,426,879
Benetton Group
Leicester City Council
Source 1; source 2; source 3
PublicUKYes3 TB
IT servicesFranceYes2,700,000
HSBC and Barclays
Allium UPI, UAB, Apotheka, Apotheka Beauty and PetCity
Tiger-One Distribution
The European House-Ambrosetti
Professional servicesItalyYes>100,000
Prosecutor General’s Office of the the Russian Federation
Source 1; source 2
Urban Sports Club
Professional servicesGermanyYesUnknown
EAS change systems
Southend-on-Sea City Council
Citizens Channel
Düsseldorf Airport
Ministry of Foreign and European Affairs of the Slovak Republic
PrePay Technologies SA
IT servicesSpainUnknownUnknown
City of Birmingham

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


Rise in criminal campaigns using AI

Bitdefender Labs reports that, over the past year, it’s seen an increase in “AI-powered illicit operations conducted by threat actors over social media, from stream-jacking attacks that delivered crypto-doubling schemes on YouTube to audio deep fakes that overflow on Meta’s social platforms”.

UK and US announce AI safety partnership

Following commitments they made at last November’s AI Safety Summit, the UK and US have signed a memorandum of understanding that will see them work to align their scientific approaches to develop tests to evaluate AI models, systems and agents.


Google agrees to delete billions of records and reduce incognito user tracking

Google has agreed to settle a 2020 class action lawsuit accusing it of invading people’s privacy by collecting user data even in incognito mode.

Google’s spokesman Jorge Castaneda said: “We are pleased to settle this lawsuit, which we always believed was meritless. We are happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.”

Greek data protection authority fines ministry €175,000 for GDPR infringements

Greece’s data protection authority has issued the country’s Ministry of Migration and Asylum with an administrative fine of €175,000 for GDPR infringements relating to its processing of asylum seekers’ personal data. The Ministry’s DPIAs (data protection impact assessments) of its Centaurus and Hyperion programmes were found to be materially incomplete and limited in scope.

ENISA publishes Cyber Resilience Act Requirements Standards Mapping

The EU agency for cyber security, ENISA, has published a new study identifying the existing cyber security standards that are most relevant to each requirement of the Cyber Resilience Act and highlights possible gaps to be addressed.

Other news

ICO sets out priorities to protect children’s online privacy

As part of its 2024–2025 priorities for protecting children’s personal information online, the ICO (Information Commissioner’s Office) has called on social media and video-sharing platforms to ensure children are safer when using their services. The new Children’s code strategy sets out the data protection practices that need to be improved to safeguard children’s privacy.

Germany to launch cyber military branch to combat Russian cyber aggression

As part of a military restructuring programme, Germany will introduce a fourth independent branch of its armed forces – the German Cyber and Information Domain Service. The country’s defence minister, Boris Pistorius, told a press conference in Berlin: “No one should have the idea of attacking us as a NATO territory. We have to convey this credibly and truthfully.”

EU to drop cyber security certification scheme’s sovereignty requirements

The latest draft of the EU’s cyber security certification scheme omits the requirement for vendors to be independent of non-EU laws. Cloud vendors will now be obliged only to provide information about where information is stored and processed, and applicable local laws. The new version of the scheme is now under review.

Recently published reports

Key date

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.

That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.

Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.