The Week in Cyber Security and Data Privacy in Europe: 25 – 31 March 2024

5,341,084 known records breached in 17 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

NHS Dumfries & Galloway attack claimed by INC Ransom; 3 TB of data allegedly stolen

Earlier in March, NHS Dumfries & Galloway in Scotland reported having been targeted by a cyber attack. This week, the INC Ransom group claimed responsibility for the attack and said it exfiltrated 3 TB of data.

The group also published a sample of the data. NHS Dumfries & Galloway said that it’s “aware that clinical data relating to a small number of patients has been published by a recognised ransomware group”.

The healthcare provider has also published an FAQ about the attack.

Data breached: 3 TB.

864,603 educational records from Juniper Education publicly exposed

The cyber security researcher Jeremiah Fowler discovered a publicly exposed database with 864,603 records belonging to Juniper Education, a software technology provider for schools.

The exposed records apparently included around 214,000 unique images of children. The data also included full names of students and their educational records, including achievements and potential learning disabilities.

When Fowler notified Juniper Education, it secured the data and said it’d be investigating the incident.

Data breached: 864,603 records.


Publicly disclosed data breaches and cyber attacks in Europe: full list

This week, we found 5,341,084 records known to be compromised in Europe, and 17 European organisations suffering a newly disclosed incident. 10 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.

We also found 2 European organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
NHS Dumfries & Galloway
Source 1; source 2
(Update)
HealthcareUKYes3 TB
Juniper Education
Source
(New)
SoftwareUKYes864,603
Accor
Source
(New)
HospitalityFranceYes596,000
Big Issue
Source 1; source 2
(New)
MediaUKYes550 GB
Rent Go
Source
(New)
TransportTurkeyYes>161,000
Scullion Law
Source
(New)
LegalUKYes155 GB
ECB (England & Wales Cricket Board)
Source 1; source 2
(Update)
LeisureUKYes43,299
iNIURIA Cheats (DigitalWorks GmbH)
Source
(New)
LeisureGermanyYes14,181
CurioInvest
Source
(New)
CryptoLiechtensteinYesUnknown
Europol
Source
(New)
LegalNetherlandsYesUnknown
Ayuntamiento de Torre Pacheco
Source
(New)
PublicSpainYesUnknown
Cressex Community School
Source
(New)
EducationUKYesUnknown
Statistični urad Republike Slovenije
Source
(New)
PublicSloveniaUnknownUnknown
Website of President Nataša Pirc Musar
Source
(New)
PublicSloveniaUnknownUnknown
The University of Manchester
Source
(New)
EducationUKUnknownUnknown
University of Wolverhampton
Source
(New)
EducationUKUnknownUnknown
Clinical School Computing Service
Source
(New)
IT servicesUKUnknownUnknown
Communication Workers Union
Source
(New)
Professional servicesUKUnknownUnknown
YASNO
Source
(New)
EnergyUkraineUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

UK Artificial Intelligence (Regulation) Bill progresses to Lords committee stage

The House of Lords read the UK Artificial Intelligence (Regulation) Bill for a second time on 22 March, and have progressed the Bill to the committee stage. This blog explains in more detail how a bill becomes law.

Researchers reveal new quantum AI model that allegedly identifies 100% of attacks

Multiverse Computing and CounterCraft have revealed a new quantum AI model: the MPS (Matrix Product State) model. It’s been trained on data sets from real network traffic and system logs, and “significantly improves” attack detection compared to traditional methods, supposedly identifying 100% of cyber attacks.


Enforcement

European Commission started investigation into Meta’s “pay or consent model”

The European Commission has opened proceedings again Meta’s “pay or consent model” – alongside Alphabet’s rules on steering in Google Play and self-preference on Google search, and Apple’s rules on steering in the App Store – under the DMA (Digital Markets Act).

The Commission is “concerned” that the “binary choice” of Meta’s model “may not provide a real alternative in case users do not consent, thereby not achieving the objective of preventing the accumulation of personal data by gatekeepers”.

EU and South Korea reaffirm partnership on cyber security, AI and other areas

In a second digital partnership council, the EU and South Korea reaffirmed their commitment to cooperating in “key digital technologies”, including cyber security, AI, quantum technology, platforms, semiconductors, 5G and beyond, and “defined other areas of cooperation such as network connectivity”.

Sellafield to be prosecuted for alleged IT security offences between 2019–2023

The UK’s nuclear safety regulator – the ONR (Office for Nuclear Regulation) – has notified the nuclear site Sellafield that it’ll face prosecution under the Nuclear Industries Security Regulations 2003 for alleged IT security offences between 2019 and 2023.

Sellafield was reportedly hacked by cyber groups “closely linked to Russia and China”.


Other news

At least 17,000 Microsoft Exchange servers in Germany critically exposed

The BSI (Bundesamt für Sicherheit in der Informationstechnik; the German Federal Office for Information Security) warned that at least 37% of Microsoft Exchange servers in Germany (so at least 17,000) are vulnerable to at least one critical security vulnerability.


Recently published reports


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) was retired on 31 March and replaced by version 4.0 of the Standard.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.