The Week in Cyber Security and Data Privacy in Europe: 15 – 21 April 2024

7,895,988 known records breached in 24 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Criminal hackers threaten to leak World-Check screening database

A criminal group known as GhostR claims to have stolen 5.3 million records from World-Check, a screening database used to screen potential customers for links to illegal activity and government sanctions.

Compromised data includes names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers.

A spokesman for the London Stock Exchange Group, which maintains the database, confirmed the data was illegally obtained from a third party and didn’t dispute the amount of data stolen. GhostR says it obtained the records from a Singapore-based company with access to the database.

Data breached: 5,300,000 records.

Almost 1.5 million accounts compromised in Le Slip Français data breach

The French underwear manufacturer Le Slip Français has suffered a data breach. The alleged perpetrator, who goes by the name ShopifyGUY, claims to have obtained more than 1.5 million emails, including 690,000 sets of customer details comprising email addresses, names, postal addresses, phone numbers and purchase data.

ShopifyGUY is the same person who posted the Giant Tiger data last week. According to Troy Hunt of the data breach notification service HIBP (Have I Been Pwned), “it looks like they’re finding @Shopify keys somewhere then just dumping all the data. I’m told the JSON format these breaches all appear in is consistent with that, so it stands to reason that’s the common vector for all these breaches”.

Hunt has added 1,495,127 Le Slip Français accounts to the HIBP database.

Data breached: 1,495,127 accounts.


Publicly disclosed data breaches and cyber attacks in Europe: full list

This week, we found 7,895,988 records known to be compromised in Europe, and 24 European organisations suffering a newly disclosed incident. 20 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 1 definitely hasn’t had data breached.

We also found 1 European organisation providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
World-Check
Source
(New)
FinanceUKYes5,300,000
Le Slip Français
Source 1; source 2; source 3
(Update)
RetailFranceYes1,495,127
XD Connects
Source
(New)
RetailNetherlandsYes1 TB
Albatros
Source
(New)
ManufacturingRussiaYes>100 GB
Basingstoke MP Maria Miller
Source
(New)
PublicUKYes500
EBIR Bathroom Lighting
Source
(New)
ManufacturingSpainYes200 MB
Former Manx Care employee
Source
(New)
HealthcareUKYes160
Grodno Azot
Source
(New)
ManufacturingBelarusYesUnknown
UNDP (United Nations Development Programme)
Source
(New)
Non-profitDenmarkYesUnknown
Lyon Terminal
Source 1; source 2
(New)
TransportFranceYesUnknown
Volkswagen
Source
(New)
ManufacturingGermanyYesUnknown
Extern
Source
(New)
CharityIrelandYesUnknown
Iddink Group
Source
(New)
IT servicesNetherlandsYesUnknown
Nieuwsbank
Source
(New)
MediaNetherlandsYesUnknown
Ministry of Finance, Republic of Serbia
Source
(New)
PublicSerbiaYesUnknown
Lopesan
Source 1; source 2
(New)
HospitalitySpainYesUnknown
ASESGC Guardia Civil
Source
(New)
Non-profitSpainYesUnknown
Bagcilar Education and Research Hospital
Source
(New)
HealthcareTurkeyYesUnknown
Bureau van Dijk
Source
(New)
Professional servicesUKYesUnknown
Zest Protocol
Source
(New)
CryptoUKYesUnknown
Companies House
Source
(New)
PublicUKYesUnknown
Hôpital de Cannes – Simone Veil
Source
(New)
HealthcareFranceUnknownUnknown
SYNLAB Italia
Source
(New)
ResearchItalyUnknownUnknown
1+1 media
Source
(New)
MediaUkraineUnknownUnknown
Carpetright
Source
(New)
RetailUKNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

Protect AI releases April 2024 vulnerability report

Protect AI has published its latest monthly report into security vulnerabilities affecting AI systems. This month contains 48 vulnerabilities, up 220% from the 15 it identified in November 2023.

NSA published guidance on strengthening the security of AI systems

The US National Security Agency has published a cyber security information sheet entitled Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems. The guidance was designed for national security purposes, but can be applied by anyone bringing AI capabilities into a managed environment.


Enforcement

International law enforcement operation disrupts LabHost phishing-as-a-service platform

A law enforcement operation involving 19 countries has disrupted LabHost, one of the world’s largest phishing-as-a-service platforms. 37 suspects have been arrested and the LabHost platform has been shut down.


Other news

EDPB sets out priorities for 2024–2027

The EDPB (European Data Protection Board) has adopted its strategy for 2024–2027, which is based around four pillars:

  1. Enhancing harmonisation and promoting compliance.
  2. Reinforcing a common enforcement culture and effective cooperation.
  3. Safeguarding data protection in the developing digital and cross-regulatory landscape.
  4. Contributing to the global dialogue on data protection.

The Board’s chair, Anu Talus, said: “The new strategy takes the existing vision in a new direction in order to respond to the data protection needs of today, and the ever evolving digital landscape. The strategy is the result of a collaborative effort, involving all EU data protection authorities (DPAs) and sets out common priorities for the years to come.”

EDPB publishes opinion on Meta’s ‘pay or OK’ model

The EDPB has published its opinion on Meta’s proposed ‘pay or consent’ model, which aims to charge users a monthly fee to use its platforms without targeted advertising. Louise Brooks, from IT Governance Europe’s sister company DQM GRC, observes:

“The opinion finds that Meta’s proposed ‘pay or consent’ model isn’t compliant with the EU GDPR, but it doesn’t go so far as to rule it out as an option completely. It’s important at this stage to understand that EDPB opinions are not legally binding.

“However, the opinion was requested by supervisory authorities for the purpose of active cases under consideration for enforcement action, so the outcome of those cases will add context and detail to the interpretation of, and potential future reliance upon, the opinion.

“From a UK perspective, we know the ICO is actively monitoring the European debate on this issue as it confirmed the same at the DMA’s recent annual conference, so it remains to be seen how the EDPB’s opinion might be used or interpreted here.

“The debate certainly isn’t over, and we probably need to wait for case law to proceed before we can really start seeing the wood for the trees and understand the ramifications.

“Nevertheless, any sensible large online platforms would do well to model alternatives and consider the impact any precedents set by enforcement actions that don’t support their business models might have.”

ENISA won’t create vulnerability database

Hans de Vries, the new chief cyber security and operational officer of ENISA, the EU Agency for Cybersecurity, has confirmed that his agency will not create a database of security vulnerabilities, as proposed by the EU Cyber Resilience Act.

NATO to launch new cyber centre

Acknowledging that “cyberspace is contested at all times”, NATO will create a new cyber centre at its military headquarters in Mons, Belgium. James Appathurai, NATO’s deputy assistant secretary general for innovation, hybrid and cyber, said the new centre would be modelled on the UK’s NCSC.

CREST launches new cyber threat intelligence guide

CREST has published a new guide: What is Cyber Threat Intelligence and How is it Used?

It provides accessible advice on the theory and practice of CTI products and services, outlining key concepts and principles underpinning CTI, along with the ways organisations can use CTI to predict, prevent, detect and respond to potential cyber security threats and reduce cyber risk. 

NCSC CAF (Cyber Assessment Framework) 3.2 published

The UK NCSC (National Cyber Security Centre) has published version 3.2 of its CAF (Cyber Assessment Framework). Significant changes have been made to sections covering remote access, privileged operations, user access levels and the use of multifactor authentication.

ICO publishes guidance to improve transparency in health and social care

The ICO (Information Commissioner’s Office) has published new guidance to provide regulatory certainty on how health and social care organisations should handle sensitive information while keeping people properly informed.

Recently published reports

Key dates

29 April 2024 – UK Product Security and Telecommunications Infrastructure Act 2022 comes into effect

The UK’s consumer connectable product security regime comes into effect on 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.