The Week in Cyber Security and Data Privacy in Europe: 29 January – 4 February 2024

5,434,146 known records breached in 20 publicly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Schneider Electric hit by Cactus ransomware

The Sustainability Business division of the energy company Schneider Electric suffered a ransomware attack on 17 January, disrupting the company’s Resource Advisor platform. According to Bleeping Computer, the Cactus ransomware gang stole “terabytes of corporate data”, which it’s threatening to leak if a ransom isn’t paid.

Data breached: “terabytes of corporate data”.

BeatBase database containing more than 1.6 million lines of data allegedly leaked online

A threat actor has allegedly leaked a database from the ticketing and event management platform BeatBase ApS. The compromised data apparently includes IDs, email addresses, names, encrypted passwords and other account information.

Data breached: 1,648,030 lines.


Publicly disclosed data breaches and cyber attacks in Europe: full list

This week, we found 5,434,146 records known to be compromised in Europe, and 20 European organisations suffering a newly disclosed incident. 17 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.

We also found 10 European organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known records breached
Schneider Electric
Source
(New)
EnergyFranceYes“terabytes” of data
BeatBase ApS
Source
(New)
IT servicesDenmarkYes1,648,030
FOOTDISTRICT
Source
(New)
RetailSpainYes943,797
CloudFire and 8 other Italian companies
Source 1; source 2
(Update)
IT services and unknownItalyYes400 GB
Chamber of Deputies of Romania
Source 1; source 2
(New)
PublicRomaniaYes>250 GB
LUSH
Source 1; source 2; source 3
(Update)
RetailUKYes>110 GB
Dirox
Source
(New)
SoftwareFranceYes50 GB
AnyDesk Software
Source 1; source 2
(New)
SoftwareGermanyYes18,317
Realmforge Studios GmbH
Source
(New)
SoftwareGermanyYes13 GB
European Parliament
Source
(New)
PublicBelgiumYes1,000
Reykjavik University
Source
(New)
EducationIcelandYesUnknown
CasaSpeciale.it
Source
(New)
Real estateItalyYesUnknown
Norske Boligbyggelag
Source
(New)
Non-profitNorwayYesUnknown
Helthjem
Source
(New)
TransportNorwayYesUnknown
AUSA
Source
(New)
ManufacturingSpainYesUnknown
Teo City Council
Source
(New)
PublicSpainYesUnknown
The Oxford Academy
Source
(New)
EducationUKYesUnknown
UNISON
Source
(New)
Non-profitUKYesUnknown
Class Charts
Source
(New)
SoftwareUKYesUnknown
INSTAT
Source
(New)
PublicAlbaniaUnknownUnknown
Connexus
Source
(New)
Real estateUKUnknownUnknown
Coordination Headquarters for the Treatment of Prisoners of War
Source
(New)
PublicUkraineUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

EU representatives unanimously approve AI Act

The Committee of Permanent Representatives, or Coreper, unanimously voted in favour of the EU’s AI Act on 2 February, after the bloc’s three largest economies – France, Germany and Italy – overcame their reservations about the Act’s regulatory regime.

Italian data protection authority notifies OpenAI of GDPR breaches

Following last March’s temporary ban in the country, Italy’s data protection regulator, the Garante per la Protezione dei Dati Personali, has notified ChatGPT’s parent company, OpenAI, that it has identified several breaches of data protection law. OpenAI has 30 days to submit counterclaims about the alleged breaches.

Europcar confirms alleged data breach is false

Europcar has confirmed that a database of nearly 50 million customer records purportedly stolen from the company is fake. “The record number is completely wrong, the sample data is probably generated by ChatGPT (addresses do not exist, ZIP code does not match the US state, first and last names do not match email addresses, email addresses use very unusual tlds), and, most importantly, none of the email addresses are in our database”, the company said.


Enforcement

Uber fined €10 million for GDPR breaches

The Dutch data protection authority, Autoriteit Persoonsgegevens, has fined Uber €10 million for failing to be transparent about its data retention practices and making it difficult for drivers to exercise their data privacy rights.

INTERPOL operation targets global cyber crime

Operation Synergia, an INTERPOL operation involving 60 law enforcement agencies from more than 50 countries, has identified 1,300 malicious command-and-control servers involved in phishing, malware and ransomware attacks. 70% of the servers have been taken down and the remainder are under investigation.

ICO publishes progress update about cookie enforcement

The Information Commissioner’s Office wrote to 53 of the UK’s biggest websites about their cookie practices last November, warning that they’d face enforcement action if they didn’t comply with data protection law. The ICO now reports that 38 of those 53 have updated their cookie banners and 4 have committed to reach compliance. The remainder are working on solutions.


Other news

EDPB launches open-source website auditing tool

The European Data Protection Board has launched an audit tool that can help analyse websites’ compliance with the law. It is available for download here and the source code is available here.

European Commission adopts cyber security certification scheme

The European Commission has adopted the first European cyber security certification scheme, in line with the EU Cybersecurity Act. The voluntary scheme provides a set of rules and procedures on how to certify ICT products.

EU and US enhance cyber security cooperation

The EU and US have issued a joint statement about the importance of cooperation about cyber resilience. The statement sets out the EU and US’s shared objectives for a secure cyberspace.


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.