The Week in Cyber Security and Data Privacy in Europe: 15 – 21 January 2024

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

More than 70 million email addresses added to Have I Been Pwned

The security researcher Troy Hunt has added nearly 71 million email addresses from the Naz.API data set to his Have I Been Pwned data breach notification service. The data set is a collection of 1 billion credentials sourced from stealer logs and hosted on the illicit.services website. According to Hunt, more than a third of the email addresses were new to Have I Been Pwned.

Data breached: 70,840,771 email addresses.

Nearly 100,000 files from AUSA added to Hunters International data leak website

AUSA – a global manufacturer of all-terrain industrial vehicles, headquartered in Spain – has been added to the Hunters International ransomware group’s data leak website. Allegedly, 93,796 files (77.5 GB of data) were exfiltrated, including project and user data.

Data breached: 93,796 files (77.5 GB).


Publicly disclosed data breaches and cyber attacks in Europe: full list

This week, we’ve found 71,027,956 records known to be compromised in Europe (including the Naz.API data set), and 30 organisations suffering a newly disclosed incident. 19 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.

Organisation(s)SectorLocationData breached?Known records breached
Naz.API (likely belonging to multiple organisations)
Source
(New)
UnknownUnknownYes70,840,771
AUSA
Source
(New)
ManufacturingSpainYes93,796
TREZOR
Source
(New)
CryptoFranceYesNearly 66,000
GREYHOURS
Source
(New)
RetailFranceYes18,700
Tameside Council
Source
(New)
PublicUKYes6,345
Finham Park Multi Academy Trust
Source
(New)
EducationUKYes1,843
Main Military Construction Directorate for Special Facilities
Source
(New)
DefenceRussiaYes>500
PC Matthew Gell (Nottinghamshire Police)
Source
(New)
PublicUKYes1
Maisons de l’Avenir
Source
(New)
ConstructionFranceYesUnknown
Vision Plast
Source
(New)
ManufacturingFranceYesUnknown
Aegon
Source
(New)
FinanceNetherlandsYesUnknown
Emagister
Source
(New)
EducationSpainYesUnknown
Lanbide
Source
(New)
PublicSpainYesUnknown
Tietoevry
Source
(New)
IT servicesSwedenYesUnknown
Hosted-IT Ltd
Source
(New)
IT servicesUKYesUnknown
Millgate
Source
(New)
IT servicesUKYesUnknown
Liverpool City Region Combined Authority
Source
(New)
PublicUKYesUnknown
Space NK
Source
(New)
RetailUKYesUnknown
Paisii Hilendarski University of Plovdiv
Source
(New)
EducationBulgariaUnknownUnknown
Milectria
Source
(New)
ManufacturingFinlandUnknownUnknown
Telegram, WhatsApp and Beeline
Source
(New)
IT services and telecomsRussiaUnknownUnknown
Swiss government websites
Source 1; source 2
(New)
PublicSwitzerlandUnknownUnknown
Legal & General
Source
(New)
FinanceUKUnknownUnknown
EK Services, and Canterbury, Dover and Thanet councils
Source
(New)
IT services and publicUKUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

Microsoft gives all businesses access to AI-powered Office features

When Microsoft launched Copilot for Office 365 in November 2023, it required enterprise customers to have at least 300 users. It has now removed that requirement, opening up Copilot to businesses of all sizes. According to Microsoft, “Microsoft 365 Copilot provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills.”

ICO launches consultation on generative AI and data protection

The UK Information Commissioner’s Office has launched a consultation series on the application of data protection law to generative AI models, particularly in relation to the UK GDPR (General Data Protection Regulation) and Part 2 of the UK Data Protection Act 2018. The first chapter covers the lawful basis for training generative AI models on web-scraped data and is open until 1 March.


Enforcement

EDPB publishes GDPR one-stop shop case digest on security of processing and data breach notification

The European Data Protection Board has published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The case digest provides insights into how the data protection authorities have applied the EU GDPR’s provisions in various scenarios, such as ransomware attacks and the accidental disclosure of data.

CNIL fines Yahoo! €10 million for cookie violation

France’s data protection authority, the CNIL, has fined Yahoo EMEA Ltd €10 million for failing to take account of users’ cookie choices. Yahoo installed about 20 advertising cookies on users’ devices without their consent and failed to allow users of the Yahoo! Mail service to freely withdraw their consent.

German security researcher faces prosecution for uncovering security vulnerability

A programmer who found a security vulnerability in third-party software that he was analysing on behalf of a customer has been found guilty of criminal hacking. The MySQL flaw in Modern Solution’s software had exposed the data of almost 700,000 people. However, when the researcher informed the organisation, it reported him to the police. He has now been fined €3,000.

BreachedForums owner sentenced to at least 15 years in prison

Two weeks ago, we reported that the former admin of the now-defunct BreachForums website, Conor Brian Fitzpatrick, aka Pompompurin, had violated his parole. Fitzpatrick has now been sentenced to time served on three counts and supervised release of 20 years with special conditions.


Other news

Ivanti Connect Secure VPN breached with more than 1,700 devices exposed

On 10 January, the cyber security company Volexity published details of attacks exploiting two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances. Ivanti published a mitigation the same day and announced that it was developing a patch. Volexity now reports that it has identified more than 1,700 compromised Ivanti Connect Secure VPN devices worldwide.

Two-fifths of employees sacked over email security breaches

Nearly half of workers who were responsible for email security breaches in the past year were sacked, according to research from the cyber security company Egress. The organisation also found that 94% of organisations have experienced a serious email security incident in the past 12 months.

European Commission completes review of adequacy decisions

The European Commission has reviewed the 11 adequacy decisions that allow EU residents’ personal data to be transferred to third countries. Its report concludes that personal data transferred from the EU to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay is afforded adequate protection under the GDPR.

EDPB identifies areas of improvement relating to data protection officer role

The EDPB has adopted a report on the findings of its second coordinated enforcement action, which focuses on the designation and position of DPOs (data protection officers). The report encourages the data protection authorities to carry out more awareness-raising activities and enforcement actions, as well as encouraging organisations to ensure that DPOs have sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments in their field.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

2 Comments

  1. Arman 1st March 2024
  2. Neil Ford 5th March 2024

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.