The Week in Cyber Security and Data Privacy in Europe: 1 – 7 January 2024

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

Publicly disclosed data breaches and cyber attacks: in the spotlight

3.6 million Cross Switch users’ information allegedly leaked online

A database allegedly belonging to the online payment gateway management company Cross Switch has been leaked on the dark web. The threat actor claims to have leaked 3.6 million users’ information, including names, dates of birth, emails, phone numbers, banking information, and more.

Data breached: 3,600,000 records.

Black Basta leaks 1.1 TB of data from Gräbener Maschinentechnik GmbH & Co. KG

The German engineering company Gräbener Maschinentechnik reports that it suffered a cyber attack in December 2023, which resulted in unauthorised access to its databases. The Black Basta group has now leaked 1.1 TB of data that it claims to have exfiltrated from the organisation.

Data breached: 1.1 TB.

Black Basta adds Park Holidays UK to its data leak site

The Black Basta group has published 515 GB of data that it claims to have exfiltrated from Park Holidays, a holiday park operator with more than 50 sites in the UK. The compromised data includes financial documents, and personal documents such as driving licences and passports.

Data breached: 515 GB.

Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 5,345,102 records known to be compromised, and 11 organisations suffering a newly disclosed incident. 8 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 1 definitely hasn’t had data breached.

Organisation(s)SectorLocationData breached?Known records breached
Cross Switch S.à.r.l.
Gräbener Maschinentechnik GmbH & Co. KG
Source 1; source 2
ManufacturingGermanyYes1.1 TB
Park Holidays UK
HospitalityUKYes515 GB
Grupo SCA
Professional servicesSpainYes>100 GB
Swiss Air Force
DefenceSwitzerlandYes30 GB
Salford City Council
Lutheran World Federation
Communauté de Communes du Pays Fouesnantais
Commune de Saint-Philippe
Orange Spain

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


OpenAI moves European HQ to Dublin

OpenAI is moving its main establishment in Europe to Dublin, listing its Irish office as its data controller for the EEA and Switzerland under the EU GDPR. This means the Irish Data Protection Commission will be OpenAI’s lead supervisor in the EU. The new Europe terms of use will apply from 15 February.


BreachForums admin violates parole requirements by using VPN

Conor Brian Fitzpatrick, aka Pompompurin, the former admin of the now-defunct BreachForums website, which cyber criminals used to exchange stolen data, has violated his parole by using a computer and VPN (virtual private network) without enabling the court-prescribed monitoring software. Fitzpatrick was arrested in March 2023.

Other news

Turkish cyber espionage campaign targets Netherlands

The cyber security company Hunt & Hackett has detected a campaign of cyber attacks targeting victims in the Netherlands and originating in Turkey. The perpetrators, known as Sea Turtle, Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf, are known to target organisations in Europe and the Middle East, especially governmental bodies, telecoms organisations, ISPs, IT service providers, and media and entertainment organisations.

noyb files complaint with Austrian data protection authority against creditors’ association

The privacy rights campaign group noyb has filed a complaint against the creditors’ association KSV1870 for charging data subjects to access their personal data, in contravention with Article 15 of the EU GDPR. KSV’s website urges people to buy an ‘InfoPass’ instead of letting individuals get a free copy of their data.

European Central Bank to test banks’ resilience to cyber attacks

The European Central Bank will conduct stress tests on banks in Europe to determine their cyber resilience. 109 banks must undertake vulnerability assessments and evaluate their incident response measures by mid-2024.

Key dates

17 January 2024 – First batch of DORA regulatory technical requirements due to be submitted

Three European supervisory authorities – the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority) and ESMA (European Securities and Markets Authority) – are currently developing DORA policy products for compliance with the EU Digital Operational Resilience Act. The first batch – a set of four regulatory technical requirements covering Articles 15, 16(3), 18(3), 28(9) and 28(10) – is due to be submitted by 17 January 2024.

That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.