The Week in Cyber Security and Data Privacy in Europe: 4 – 10 March 2024

44,417,477 known records breached in 27 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

36 million MX3 Nutrition records allegedly leaked

A threat actor known as Chucky has leaked 36 million customer records apparently belonging to the French sports nutrition company MX3 Nutrition.

According to a listing on a popular hacking forum, the database includes customers’ names, email addresses, hashed passwords, and more. The claim is yet to be verified.

Data breached: 36,000,000 records.

Glosbe dictionary exposes almost 7 million records

The multilingual online dictionary Glosbe left a MongoDB instance unsecured last year. This exposed nearly 7 million users’ information. including personal data, encrypted passwords and social media identifiers.

The Cybernews research team discovered the MongoDB server in December 2023 and contacted Glosbe. Glosbe didn’t reply, but the open instance was soon closed.

Data breached: 6,935,412 individuals’ data.


Publicly disclosed data breaches and cyber attacks in Europe: full list

This week, we found 44,417,477 records known to be compromised in Europe, and 27 European organisations suffering a newly disclosed incident. 25 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.

We also found 3 European organisations providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
MX3 Nutrition
Source
(New)
ManufacturingFranceYes36,000,000
Glosbe
Source
(New)
IT servicesPolandYes6,935,412
Online Trade (Онлайн Трейд)
Source 1; source 2
(Update)
RetailRussiaYes3,805,265
Euronics Italia S.p.A.
Source
(New)
RetailItalyYes436,932
Toner-dumping.de
Source
(New)
RetailGermanyYes334,000
Consorzio Innovation
Source
(New)
Professional servicesItalyYes225 GB
Duvel Moortgat
Source 1; source 2
(New)
HospitalityBelgiumYes88 GB
Elsap Spa
Source
(New)
RetailItalyYes49 GB
La bonne alternance
Source
(New)
IT servicesFranceYes47,808
XPLAIN
Source
(Update)
IT servicesSwitzerlandYes47,413
Van der Helm
Source
(New)
TransportNetherlandsYes39 GB
Chocotopia
Source
(New)
LeisureCzech RepublicYes33 GB
Total Flex B.V.
Source
(New)
Professional servicesNetherlandsYes28.3 GB
GL-SH.de
Source
(New)
IT servicesGermanyYes26,000
World of Tanks
Source 1; source 2
(New)
SoftwareFranceYes21,994
Mission Régionale pour l’Emploi de Liège
Source
(New)
Professional servicesBelgiumYes19 GB
dasauge
Source
(New)
Professional servicesGermanyYes11,000
Swiss federal government, including Federal Department of Justice and Police, Federal Office of Justice, Federal Office of Police, State Secretariat for Migration and internal IT service centre ISC-FDJP
Source
(Update)
Public and IT servicesSwitzerlandYes9,040
GMP Academy
Source
(New)
Professional servicesGermanyYes4,000
Booking.com
Source 1; source 2
(New)
SoftwareNetherlandsYes1,000
Labour Party (Croydon East)
Source
(New)
PublicUKYes>500
Jersey Financial Services Commission
Source
(New)
PublicChannel IslandsYesUnknown
En Act Architecture
Source
(New)
ConstructionFranceYesUnknown
HAWITA Gruppe GmbH
Source
(New)
AgriculturalGermanyYesUnknown
German Federal Ministry of Defence
Source
(New)
DefenceGermanyYesUnknown
unizen
Source
(New)
CryptoLiechtensteinYesUnknown
Ministry of Defense of the Russian Federation
Source
(New)
DefenceRussiaYesUnknown
Sophiahemmet
Source 1; source 2
(New)
HealthcareSwedenYesUnknown
Beyers Koffie
Source
(New)
ManufacturingBelgiumUnknownUnknown
Leicester City Council
Source
(New)
PublicUKUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


Enforcement

UniCredit fined €2.8 million for data breach

Italy’s data protection authority, the Garante per la Protezione dei Dati Personali, has fined the country’s second-largest bank, UniCredit, €2.8 million for security failings relating to a 2018 cyber attack on its mobile banking platform.

ICO takes action against five public authorities under FOI Act

The ICO (Information Commissioner’s Office) has taken action against five public authorities for failing to meet their obligations under the Freedom of Information Act.


Other news

ISO/IEC 27006:2024 published

ISO (the International Organization for Standardization) and the IEC (International electrotechnical Commission) have published a new standard in the ISO 27000 information security series.

ISO/IEC 27006-1:2024 Information security, cybersecurity and privacy protection – Requirements for bodies providing audit and certification of information security management systems complements ISO/IEC 17021-1, and requires ISO 27001-certified organisations to show evidence that they’re maintaining their compliance with the Standard.

Capita lost over £106 million after cyber attack last year

The outsourcing giant Capita reports that it lost £106.6 million (about €124.8 million) last year, roughly a quarter of which was the due to the ransomware attack it suffered in March 2023. In May 2023, it predicted that responding to and recovering from the ransomware attack would cost it £20 million (about €23.4 million).

ICO launches call for views on “consent or pay” cookie compliance

As part of its cookie compliance work, the ICO has called for views on its proposed “consent or pay” mechanism – a model designed to let people use websites for free if they consent to their personal information being used for personalised advertising, or pay a fee for data privacy. The consultation closes on 17 April.


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.