The Week in Cyber Security and Data Privacy in Europe: 5 – 11 February 2024

37,088,521 known records breached in 38 publicly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Two French healthcare service providers breached affecting over 33 million people

The French data protection authority, the CNIL, is investigating data breaches at two French healthcare service providers, Viamedis and Almerys, which manage third-party payments for supplementary health insurance.

Compromised data includes policyholders’ and their families’ civil status, dates of birth and social security numbers, as well as the name of their health insurer and information relating to their contracts.

Financial information, medical data, health reimbursements, postal addresses, telephone numbers and emails are not thought to have been compromised.

In total, more than 33 million people – nearly half France’s population – have been affected.

Data breached: >33,000,000 people’s data.

Hyundai Motor Europe suffers ransomware attack, with 3 TB of data compromised

Hyundai Motor Europe – the motoring giant’s European subsidiary, which is headquartered in Germany – has suffered a cyber attack by the Black Basta ransomware group. Black Basta claims to have exfiltrated 3 TB of data.

Bleeping Computer reports that the folder names show that the stolen data is “related to various departments at the company, including legal, sales, human resources, accounting, IT, and management”.

Data breached: 3 TB.


Publicly disclosed data breaches and cyber attacks: full list

This week, we found 37,088,521 records known to be compromised in Europe, and 38 European organisations suffering a newly disclosed incident. 25 of them are known to have had data exfiltrated, exposed or otherwise breached.

Organisation(s)SectorLocationData breached?Known records breached
Viamedis and Almerys
Source
New
HealthcareFranceYes>33,000,000
Hyundai Motor Europe
Source
New
ManufacturingGermanyYes3 TB
asecos
Source
New
ManufacturingGermanyYes810 GB
Dalmahoy Hotel & Country Club
Source
New
Hospitality and leisureUKYes769,590
SPB Global
Source
New
ManufacturingSpainYes706 GB
Studio Galbusera
Source
New
EducationItalyYes500 GB
Manitou Group
Source
New
ManufacturingFranceYes400 GB
Technet
Source
New
IT services and softwareSwedenYes278 GB
Gocco
Source
New
RetailSpainYes136 GB
Shipleys
Source
New
Professional servicesUKYes60 GB
Harinck
Source
New
ManufacturingBelgiumYes53.1 GB
Zivilgeometer
Source
New
EngineeringAustriaYes41.83 GB
Verdimed
Source
New
AgriculturalSpainYes19 GB
Watchmax
Source
New
RetailUKYes15,000
VCS Observation
Source 1; source 2
New
ManufacturingNetherlandsYesUnknown
Greenwich Leisure
Source
New
PublicUKYesUnknown
Hannon Transport
Source
New
TransportUKYesUnknown
Albert Bartlett
Source
New
AgriculturalUK  YesUnknown
Celeste
Source
New
MultipleFranceYesUnknown
Ceralp
Source
New
Professional servicesFranceYesUnknown
Karl Rieker
Source
New
ManufacturingGermanyYesUnknown
Tetrosyl Group
Source
New
ManufacturingUKYesUnknown
Grupo Moraval
Source
New
Charity and non-profitSpainYesUnknown
CDT Medicus
Source
New
HealthcarePolandYesUnknown
Dutch MIVD (Military Intelligence and Security Service)
Source
New
PublicNetherlandsUnknownUnknown
The municipality of Korneuburg
Source
New
PublicAustriaUnknownUnknown
Armentières hospital
Source
New
HealthcareFranceUnknownUnknown
PhilogenSpA
Source
New
OtherItalyUnknownUnknown
Logtainer Srl
Source
New
TransportItalyUnknownUnknown
Portline Transportes Marítimos Internacionais
Source
New
TransportPortugalUnknownUnknown
Semesco
Source
New
EngineeringCyprusUnknownUnknown
WIFI Niederösterreich
Source
New
EducationAustriaUnknownUnknown
Davis, French & Associates
Source
New
Professional servicesUKUnknownUnknown  
Therme LAA
Source
New
Hospitality and leisureAustriaUnknownUnknown
Northsea Yacht Support
Source
New
ManufacturingNetherlandsUnknownUnknown
Money Advice Trust
Source
New
Charity and non-profitUKUnknownUnknown
La Colline
Source
New
ManufacturingSwitzerlandUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

NCSC publishes new guidance on AI and cyber security

The UK’s National Cyber Security Centre has published new guidance on cyber security issues organisations need to be aware of when deploying artificial intelligence. AI and cyber security: what you need to know is “designed to help managers, board members and senior executives (with a non-technical background) to understand some of the risks – and benefits – of using AI tools”.

EU lawmakers vote to ratify political deal on AI Act

Two committees at the European Parliament have ratified the provisional agreement on the AI Act. LIBE (the European Parliament Committee on Civil Liberties, Justice and Home Affairs) posted on X (formerly Twitter): “AI Act takes a step forward: MEPs in @EP_Justice & @EP_SingleMarket have endorsed the provisional agreement on an Artificial Intelligence Act that ensures safety and complies with fundamental rights”.


Enforcement

US State Department offers $10 million for Hive ransomware information

The US Department of State is offering a reward of up to $10 million for information leading to the identification and/or location of the leaders of the Hive ransomware group, and a reward of up to $5 million for information that leads to the arrest and/or conviction of anyone conspiring to participate in Hive ransomware activity.

US announces visa restriction policy, banning people associated with spyware

Secretary of State Antony J Blinken has announced that the State Department is implementing a new policy “that will allow the imposition of visa restrictions on individuals involved in the misuse of commercial spyware”.

Denmark orders schools not to transfer students’ data to Google

The Danish data protection authority, Datatilsynet, has ordered 53 municipalities across Denmark to change their data processing activities so that they no longer transfer students’ personal data to Google.


Other news

Chinese Volt Typhoon group hid in US infrastructure network for 5 years

CISA (the Cybersecurity and Infrastructure Security Agency), the NSA (National Security Agency) and the FBI (Federal Bureau of Investigation) have issued a joint advisory about the Chinese Volt Typhoon cyber espionage group, which infiltrated US critical infrastructure.

Google confirms that spyware vendors are behind 50% of zero-day attacks

Google’s Threat Analysis Group has analysed 40 commercial spyware vendors and found that they were behind half of known 0-day exploits targeting Google products and Android ecosystem devices.

Ransomware payments topped $1 billion last year

Research by Chainalysis has found that ransom payments made to attackers reached an all-time high of more than $1 billion in 2023. The most profitable ransomware gangs were ALPHV/BlackCat, Clop, Play, LockBit, BlackBasta, Royal, Ransomhouse and Dark Angels. The previous record figure – $983 million – was set in 2021.

Fortinet brushes off DDoS claims

Despite going viral, a story that 3 million electric toothbrushes were hacked and used as a botnet to conduct DDoS (distributed-denial-of-service) attacks is, of course, untrue. The security company Fortinet confirmed that it was a hypothetical scenario, saying: “To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”


Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.