The Week in Cyber Security and Data Privacy in Europe: 8 – 14 April 2024

1,030,301 known records breached in 25 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in Europe.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

Almost 300,000 taxi passengers’ data exposed by iCabbi

The security researcher Jeremiah Fowler has discovered an unprotected database containing the names, phone numbers and email addresses of thousands of taxi passengers in the UK and Ireland.

The database belonged to the Dublin-based fleet management technology vendor iCabbi. According to Fowler, the database contained nearly 300,000 customer user IDs, including email addresses from the BBC and several government departments.

Fowler informed iCabbi of his discovery, which blamed human error and said it would make its customers aware of the breach.

Data breached: 287,000 records.

SMC and Carrier Global software error exposes alarm logout codes

The security researcher Joris Talma has discovered a software error exposing the logout codes of thousands of alarms used by the SMC emergency centre in the Netherlands, which could allow the alarm systems to be deregistered remotely. Despite warning SMC and the software company, Global Carrier, for a year, Talma got no response, so informed the local media outlet BNR Nieuwsradio.

According to research by BNR Nieuwsradio, at least 26,000 active security systems in the Netherlands are affected, including “alarm systems of supermarkets, banks, government departments, town and county halls, utility companies, a printer of money paper and even Fox-IT, a company that keeps state secrets”.

Data breached: more than 26,000 alarm codes.

Publicly disclosed data breaches and cyber attacks in Europe: full list

This week, we found 1,030,301 records known to be compromised in Europe, and 25 European organisations suffering a newly disclosed incident. 19 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 2 definitely haven’t had data breached.

We also found 1 European organisation providing a significant update on a previously disclosed incident.

Organisation(s)SectorLocationData breached?Known data breached
Unknown (attributed to Accor)
Source 1; source 2
(New)
HospitalityFranceYes642,000
iCabbi
Source
(New)
SoftwareUKYes287,000
Nexperia
Source
(New)
ManufacturingNetherlandsYes74 GB
forum.kasperskyclub.ru
Source 1; source 2
(Update)
IT servicesRussiaYes55,971
SMC and Carrier Global
Source
(New)
SoftwareNetherlandsYes>26,000
Autoritatea Electorală Permanentă
Source
(New)
PublicRomaniaYes1,300
Yoga4Yogi
Source
(New)
Professional servicesCzech RepublicYesUnknown
Académie de Lyon and Ministère de l’Éducation nationale et de la Jeunesse
Source
(New)
Education and publicFranceYesUnknown
Le Slip Français
Source
(New)
RetailFranceYesUnknown
Multiplayer.it
Source
(New)
IT servicesItalyYesUnknown
Maccarinelli Autonegozi
Source
(New)
RetailItalyYesUnknown
Orderchamp
Source
(New)
IT servicesNetherlandsYesUnknown
Tkachev Agricultural Complex
Source
(New)
AgriculturalRussiaYesUnknown
OwenCloud.ru
Source
(New)
SoftwareRussiaYesUnknown
Moskollektor
Source
(New)
UtilitiesRussiaYesUnknown
NRS Healthcare
Source
(New)
HealthcareUKYesUnknown
THSP
Source
(New)
PublicUKYesUnknown
CVS Group Plc
Source
(New)
VeterinaryUKYesUnknown
Paris Saint-Germain
Source
(New)
LeisureFranceUnknownUnknown
Saint-Nazaire et agglomeration
Source
(New)
PublicFranceUnknownUnknown
GBI-Genios Deutsche Wirtschaftsdatenbank GmbH
Source
(New)
MediaGermanyUnknownUnknown
Casa Árabe
Source
(New)
PublicSpainUnknownUnknown
Belvedere Vodka UK
Source
(New)
ManufacturingUKNo0
TUC (Trades Union Congress)
Source
(New)
Non-profitUKNo0

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

AI-written PowerShell script used in malicious email campaigns targeting German organisations

Bleeping Computer reports that a threat actor is using a PowerShell script “likely” created with ChatGPT or a similar AI model to spread the Rhadamanthys information stealer via email.

The security company Proofpoint attributed the attack to a threat actor tracked as TA547, also known as Scully Spider.

ICO seeks views on generative AI models’ accuracy

The ICO (Information Commissioner’s Office) has launched a consultation on how data protection law applies to generative AI, particularly in relation to its accuracy.

The Information Commissioner, John Edwards, commented: “In a world where misinformation is growing, we cannot allow misuse of generative AI to erode trust in the truth. Organisations developing and deploying generative AI must comply with data protection law – including our expectations on accuracy of personal information.”

The consultation is open until 5:00 pm on 10 May 2024.


Enforcement

European Parliament votes to enhance GDPR enforcement

MEPs have voted in favour of amendments to the GDPR (General Data Protection Regulation) that strengthen the Regulation’s enforcement. The amendments change the role of the supervisory authorities and remove some of their obligations to share the findings of their investigations.

Police investigating LockBit ransomware gang seek 200 suspected criminals

Police have matched some 200 LockBit affiliates’ pseudonyms to their real identities. A police spokesperson, who asked to remain anonymous, told Bloomberg that they “now have a clear idea of LockBit’s hierarchy and its most influential members, who they plan to pursue”.


Other news

Browser security updates from Google Chrome and DuckDuckGo

Google has announced a more secure – and paid – version of its enterprise browser: Chrome Enterprise Core. It offers threat and data protection, more control options and reporting capabilities.

Meanwhile, DuckDuckGo launched a new paid subscription service: Privacy Pro. This includes a VPN (virtual private network), a personal data removal service and a solution in case of identity theft.

CISA releases new malware analysis system

The US CISA (Cybersecurity and Infrastructure Security Agency) has released Malware Next-Gen, a new malware analysis system. This allows organisations to submit malware samples and “other suspicious artifacts” for more automated analysis and enhanced cyber defences.

91,000 LG smart TVs vulnerable to attack

Bitdefender has discovered four security vulnerabilities affecting multiple versions of LG Electronics WebOS – the operating system used in its smart TVs.

According to Bleeping Computer, the vulnerabilities “enable varying degrees of unauthorized access and control over affected models, including authorization bypasses, privilege escalation, and command injection”.

USDoD attempting to sell 2.9 billion data records from UK, US and Canada

A threat actor known as USDoD has listed a 4 TB database apparently containing 2.9 billion rows of data on a dark web forum. Given the scale of the database, we await verification before adding it to our listings.

OpenTable rethinks intention to show members’ identities

The restaurant reservation platform OpenTable has backtracked on its decision to show users’ profile pictures and names on previously anonymous restaurant reviews following privacy complaints.


Recently published reports


Key dates

11 April 2024 – Interoperable Europe Act enforced

The EU Interoperable Europe Act, which is “essential” for reaching the objectives of the EU Digital Decade, was enforced on 11 April. This Act will “facilitate cross-border data exchange and accelerate the digital transformation of the public sector”.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up;
  • Our latest research and statistics;
  • Interviews with our experts, sharing their insights and expertise;
  • Free useful resources; and
  • Upcoming webinars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.