The Week in Cyber Security and Data Privacy in Europe: 11 – 17 March 2024

53,332,982 known records breached in 50 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

France Travail and Cap Emploi breach affects 43 million

The French data protection authority, the CNIL, reports that the unemployment agencies France Travail (formerly Pôle emploi) and Cap Emploi have suffered a cyber attack that led to the exposure of 43 million people’s data.

According to France Travail, the breached data includes names, dates of birth, email and postal addresses, telephone numbers, social security numbers and France Travail identifiers. Passwords and bank details were not affected.

Last August, Pôle emploi suffered a data breach affecting 10 million people. At the time, the security firm Emsisoft attributed it to May 2023’s MOVEit Transfer breach, but removed the agency from its list of MOVEit victims the following month. It’s not known whether this breach relates to the MOVEit one.

Data breached: 43 million people’s data.

HIBP adds almost 3.3 million ClickASnap records to its database

In October 2022, ClickASnap announced that it had suffered a data breach on 24 September of that year, in which user emails were stolen from a database.

Have I Been Pwned has now added 3,262,980 records to its database, including email addresses, names, passwords, physical addresses, purchases, social media profiles and usernames.

Data breached: 3,262,980 records.


Publicly disclosed data breaches and cyber attacks in Europe: full list

This week, we found 53,332,982 records known to be compromised in Europe, and 50 European organisations suffering a newly disclosed incident. 10 of them are known to have had data exfiltrated, exposed or otherwise breached. 33 definitely haven’t had data breached.

We also found 1 European organisation providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
France Travail and Cap Emploi
Source 1; source 2
(New)
PublicFranceYes43,000,000
ClickASnap
Source 1; source 2
(Update)
IT servicesUKYes3,262,980
AMMEGA
Source
(New)
ManufacturingNetherlandsYes3 TB
Health Service Executive
Source
(New)
HealthcareIrelandYes>1,000,000
Teupe Gruppe
Source
(New)
ConstructionGermanyYes>1 TB
Cleshar
Source
(New)
TransportUKYes1 TB
OYAK
Source
(New)
FinanceTurkeyYes720 GB
Reny Picot
Source
(New)
ManufacturingSpainYes350 GB
Dörr Group
Source
(New)
RetailGermanyYesUnknown
VOID Interactive
Source
(New)
SoftwareIrelandYesUnknown
edpnet België
Source
(New)
TelecomsBelgiumUnknownUnknown
Petroltecnica S.p.A.
Source
(New)
EnvironmentalItalyUnknownUnknown
Meduza
Source
(New)
MediaLatviaUnknownUnknown
Russian polling stations
Source
(New)
PublicRussiaUnknownUnknown
Moscow Metro
Source
(New)
TransportRussiaUnknownUnknown
NHS Dumfries & Galloway
Source 1; source 2
(New)
HealthcareUKUnknownUnknown
Dozens of Estonian government institutions
Source
(New)
PublicEstoniaNo0
8 French government agencies
Source 1; source 2
(New)
PublicFranceNo0
Liverpool John Lennon Airport
Source
(New)
TransportUKNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

MEPs adopt Artificial Intelligence Act

The European Parliament has endorsed the EU Artificial Intelligence Act, with 523 MEPs voting in favour and 46 against the Act. There were 49 abstentions.

The Act “aims to protect fundamental rights, democracy, the rule of law and environmental sustainability from high-risk AI, while boosting innovation and establishing Europe as a leader in the field”. It also “establishes obligations for AI based on its potential risks and level of impact”.

Garante launches investigation info Open AI’s Sora

Italy’s data protection authority, the Garante per la Protezione dei Dati Personali, has announced that it is investigating Open AI following the launch of a new AI model called Sora, which is capable of creating videos from short textual instructions. The Garante is considering the possible implications Sora could have on the processing of EU residents’ personal data.


Enforcement

European Commission’s use of Microsoft 365 infringes data protection law

The EDPS (European Data Protection Supervisor) has announced that it has found the European Commission’s use of Microsoft 365 infringed several data protection provisions that apply to EUIs (EU institutions, bodies, offices and agencies), including ensuring that personal data transferred outside the EEA is subject to appropriate safeguards.

European Commission welcomes political agreement on EHDS

The European Commission has welcomed the political agreement between the European Parliament and the Council of the European Union on the EHDS (European Health Data Space). The EHDS aims to give EU residents full control over their data to obtain better healthcare across the EU and to open up data for research and public health uses.

Polish supervisory authority issues two €24,000 fines for data breach notification failures

Poland’s data protection authority, the UODO (Urząd Ochrony Danych Osobowych), fined two organisations last year for failing to notify it of personal data breaches.

According to the EDPB (European Data Protection Board), the UODO fined an insurance company €24,000 in October 2023 after an unauthorised recipient received an email that was sent in error. The email’s attachment contained personal data belonging to an insurance claimant.

The UODO also fined the District Court in Krakow the same amount in December 2023 after it sent a package containing personal data to the Minister of Foreign Affairs, which arrived damaged and incomplete. The Court, which was the data controller in this instance, failed to notify the supervisory authority of the breach.

noyb complains that Swedish data broker uses legal loophole to evade GDPR

The privacy rights campaign group noyb has filed a complaint against one of Sweden’s largest data brokers, MrKoll. Noyb argues that MrKroll’s use of a media licence unfairly exempts it from its obligations under the GDPR (General Data Protection Regulation), depriving “people of their fundamental right to privacy and [exposing] their most intimate data to the internet”.

LockBit associate pleads guilty to cyber extortion

Mikhail Vasiliev, a hacker awaiting extradition from Canada to the US on cyber crime charges, has pleaded guilty to eight counts of cyber extortion, mischief and weapons charges. Vasiliev was arrested over a year ago for committing crimes in connection with the LockBit ransomware group.

Justice officials say Vasiliev took tens of millions of dollars in ransom payments from at least 1,000 ransomware attacks.

Meanwhile, LockBit’s purported leader has vowed to continue its ransomware attacks, despite the massive law enforcement operation that disrupted the group earlier this year.


Other news

Browsers add extra protection to help secure users

Google has announced that Chrome will now use real-time Safe Browsing protections to show warnings when users visit potentially unsafe websites.

And Microsoft has announced that new security protections in Edge and other Chromium-based browsers will prevent criminal hackers from using an exploit in a Renderer Process to escape the Renderer sandbox. This will prevent “attackers from using an exploit to enable the Mojo JavaScript bindings (MojoJS) for their site context within the Renderer”.

ICO publishes view on DPDI Bill

The ICO (Information Commissioner’s Office) has published its view on the government’s DPDI (Data Protection and Digital Information Bill) as it reaches the Lords committee stage. The Bill aims to reform data protection law in the UK.


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.