The Week in Cyber Security and Data Privacy in Europe: 22 – 28 April 2024 

1,071,153 known records breached in 23 newly disclosed incidents 

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe. 

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks


Publicly disclosed data breaches and cyber attacks: in the spotlight 

GhostR begins leaking World-Check database 

Last week, we reported that a criminal group known as GhostR claimed to have stolen 5.3 million records from World-Check, a screening database maintained by the LSEG (London Stock Exchange Group) to screen potential customers for links to illegal activity and government sanctions. 

GhostR has now begun to leak the data, confirming that the LSEG Refinitiv database contains “5,299,116 records of PEPs, criminals, terrorists, heightened risk individuals and organizations”. 

Data breached: 5,299,116 records.

More than 1 million Neighbourhood Watch members’ data compromised via web app 

The Register has discovered that VISAV Limited’s Neighbourhood Alert platform, an app used by Neighbourhood Watch groups in the UK, exposed user data to anyone who registered an account. 

According to The Register, “anyone could sign up using a fake name, email address, and postal code to gain access to a range of personal data on UK citizens within minutes”. 

The company has fixed the vulnerability and notified the UK regulator, the ICO (Information Commissioner’s Office). 

Data breached: >1,000,000 people’s data.


Publicly disclosed data breaches and cyber attacks in Europe: full list 

This week, we found 1,071,153 records known to be compromised in Europe, and 23 European organisations suffering a newly disclosed incident. 18 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 3 definitely haven’t had data breached. 

We also found 1 European organisation providing a significant update on a previously disclosed incident. 

Organisation(s) Sector Location Data breached? Known data breached 
World-Check
Source 1; source 2
(Update) 
Finance UK Yes 5,299,116 
VISAV Limited
Source
(New) 
IT services UK Yes >1,000,000 
University of Düsseldorf
Source
(New) 
Education Germany Yes >60,000 
State Security Committee of the Republic of Belarus
Source
(New) 
Public Belarus Yes >8,600 
Nothing
Source 1; source 2
(New) 
Manufacturing UK Yes 2,250 
Stad Deinze
Source
(New) 
Public Belgium Yes 300 
Ateliers Jean Nouvel
Source
(New) 
Engineering France Yes Unknown 
LATEXBIO
Source
(New) 
Manufacturing France Yes Unknown 
l’Oracle
Source
(New) 
Professional services France Yes Unknown 
Speedy France
Source 1; source 2
(New) 
Professional services France Yes Unknown 
Porsche Financial Services Italia S.p.A.
Source
(New) 
Finance Italy Yes Unknown 
CDSHotels
Source
(New) 
Hospitality Italy Yes Unknown 
EuroParcs Enkhuizer Strand 
Source
(New) 
Hospitality Netherlands Yes Unknown 
Mr. CRAB
Source
(New) 
Hospitality Russia Yes Unknown 
United Russia
Source
(New) 
Public Russia Yes Unknown 
Interregional Transit Telecom JSC (MTT)
Source
(New) 
Telecoms Russia Yes Unknown 
Universidad Miguel Hernández de Elche
Source
(New) 
Education Spain Yes Unknown 
2plan wealth management Ltd
Source
(New) 
Finance UK Yes Unknown 
Lekpharm
Source
(New) 
Manufacturing Ukraine Yes Unknown 
SKANLOG
Source
(New) 
Transport Denmark Unknown Unknown 
Ministry of the Interior
Source
(New) 
Public Greece Unknown Unknown 
Gemeente Voorschoten and Gemeente Wassenaar
Source
(New) 
Public Netherlands No 
Systembolaget AB
Source
(New) 
Manufacturing Sweden No 

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table. 

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here. 


AI

Scientists successfully use AI to detect AI-generated videos 

Scientists at the MISL (Multimedia and Information Security Lab) in Drexel University’s College of Engineering have developed a suite of tools to detect AI-generated videos at the sub-pixel level. 

In Beyond Deepfake Images: Detecting AI-Generated Videos, a paper due to be presented at the IEEE Computer Vision and Pattern Recognition conference in June, Danial Samadi Vahdati, Tai D. Nguyen, Aref Azizpour and Matthew C. Stamm explain how a constrained neural network can be used to detect synthetic videos “at 98% accuracy”. 


Enforcement

European Parliament adopts European Health Data Space and regulation on substances of human origin 

The European Commission has welcomed the European Parliament’s adoption of the EHDS (European Health Data Space) and new rules on SoHO (substances of human origin), both of which aim to protect individuals’ health and improve the resilience of healthcare systems. The Council will now formally adopt both regulations.

Latest GDPR fines 

The Romanian data protection authority has fined SC Tensa Art Design SA 9,941 lei (€2,000) for violating Article 6 of the EU GDPR (General Data Protection Regulation) by processing an individual’s phone number without their consent and using it to send them marketing messages. 

It has also fined Alpha Bank Romania SA 9,950.60 lei (€2,000) for failing to implement adequate technical and organisational security measures to prevent the unauthorised access and unauthorised disclosure of customers’ personal data. 

Meanwhile, the Croatian supervisory authority has imposed nine GDPR fines totalling €51,000. Two related to gambling and betting controllers processing personal data unlawfully via cookies. Seven related to the use of CCTV in hotels, catering establishments and shops. 

ICO fines two companies £340,000 for 1.43 million unwanted marketing calls 

The ICO has fined two telemarketing companies for making 1.43 million calls to people registered with the Telephone Preference Service. Cardiff-based Outsource Strategies Ltd and London-based Dr Telemarketing Ltd targeted elderly and vulnerable people, using aggressive sales tactics to persuade them to sign up for products.


Other news

European police chiefs call for an end to end-to-end encryption 

A joint declaration by the European police chiefs calls for tech companies to limit end-to-end encryption so the companies can identify and report illegal activity on their platforms, and enable law enforcement investigations to access secure messages. 


New guidance 

EDPB publishes information on Data Protection Framework redress mechanism 

The European Data Protection Board’s Information Note on the redress mechanism for EU/EEA individuals in relation to alleged violations of U.S. law with respect to their data collected by U.S authorities competent for national security sets out how data subjects in the EU and EEA can formally complain about the processing of their personal data by US intelligence agencies. 


Recently published reports 


Key dates 

29 April 2024 – UK Product Security and Telecommunications Infrastructure Act 2022 comes into effect 

The UK’s consumer connectable product security regime comes into effect on 29 April. Businesses in the supply chains of these products need to be compliant with the legislation from that date.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable 

As of 30 April, certification bodies can no longer offer (re)certification to ISO 27001:2013. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022


That’s it for this week’s round-up. We hope you found it useful. 

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place. 

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive


Security Spotlight 

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight

Every Tuesday, you’ll get a short email with: 

  • Industry news, including this weekly round-up; 
  • Our latest research and statistics; 
  • Interviews with our experts, sharing their insights and expertise; 
  • Free useful resources; and 
  • Upcoming webinars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.