The cyber risk panorama in Europe continues to evolve, with cyber assaults focusing on a number of establishments throughout the EU. The worrying side is that many breaches additionally go unreported, as European companies usually don’t report an incident for concern of their fame being tarnished and as a substitute choose to handle the fallout internally.
With the GDPR (Normal Knowledge Safety Regulation) handing out file quantities of fines, it’s as much as European companies to rapidly assess their cybersecurity capabilities and implement insurance policies and protections satisfactory sufficient to satisfy worldwide knowledge safety requirements.
It’s essential for companies to study from as many incidents as attainable to collectively enhance their knowledge safety and knowledge privateness practices, in addition to achieve perception on find out how to forestall knowledge theft. This text will embody an inventory of the largest knowledge breaches in Europe so far, how companies had been affected, and the way they might have prevented the problems.
Prime 21 Largest Knowledge Breaches in Europe
Here’s a record of the highest knowledge breaches to happen in Europe:
1. British Airways
Date: June 2018 – September 2018
Influence: 380,000 to 500,000 prospects
The ICO (Info Commissioner’s Workplace), an equal of Europe’s DPC and the physique that upholds knowledge privateness legal guidelines within the UK, confirmed the assault after noticing the airways’ web site was diverted to a false hackers’ web site.
Based on knowledge safety consultants, a provide chain assault on third-party cost companies on the British Airways’ web site was used through a malicious JavaScript code injection that siphoned cost knowledge to unknown attackers. This technique has been confirmed judging by how the compromised knowledge included CVV codes that, in accordance with PCI-DSS requirements, weren’t saved however processed when funds had been made, which rendered database entry unlikely.
The ICO issued a £183 million high-quality, the largest high-quality levied as of 2018, however in October 2020, British Airways ended up paying a considerably decrease sum of merely £20 million ($26 million) for failing to guard the private information and monetary knowledge of consumers and affected knowledge topics.
2. European Central Financial institution
Date: July 2014
The ECB would later undergo a malware assault in 2018, during which contact data for 500 subscribers was stolen because the Banks’ Built-in Reporting Dictionary (BIRD) was hacked.
3. PrivatBank
Date: July 2014
Influence: 40 million information
In July 2014, Ukraine’s PrivatBank was hacked by a pro-Russian hacker group, CyberBerkut, that stole and revealed buyer knowledge (together with banking data, passport data, and private knowledge), then posted the stolen content material on the Russian social media platform VKontakte. The safety breach uncovered over 40 million information of the financial institution’s prospects.
The hacker group warned the financial institution’s prospects emigrate their transactions to state-owned banks. Allegedly, the motives of the cyber assault had been state-sponsored, because the assault was prompted after PrivatBank’s co-owner, Igor Kolomoisky, positioned a $10,000 bounty on Russian saboteurs in Ukraine. The hacker group appears to have sought retaliation for the order.
Nonetheless, ultimately, no pro-Russian connections had been discovered. Native cybersecurity consultants declare that the cyber assault technique was deemed unsophisticated by Russian requirements.
4. Latvian State Income Service
Date: February 2010
Influence: 7.5 million monetary knowledge and tax information of state staff
In February 2010, an unknown hacker leaked confidential data from the Latvian State Income Service. Roughly 7.5 million tax information, monetary data, and salaries of state staff had been leaked periodically to Twitter and a Latvian TV station.
The perpetrator was found to be Ilmars Poikans, aka”‘Neo,” part of the “Fourth Awakening People’s Army” hacker group, who was arrested and sentenced in 2015. The hacker’s motive was to reveal the excessive salaries of state staff in a one-man whistleblowing operation throughout a interval when Latvia had excessive unemployment and poverty charges.
Moreover cost particulars of financial institution managers and expensive bailouts, no different confidential data was leaked. This propelled the Latvian IT researcher right into a “Robin Hood” cult standing degree of recognition.
Finally, the Latvian Supreme Courtroom pardoned Poikans in December 2017, and a while afterward, he was sentenced to 100 hours of group service.
5. Warsaw Inventory Trade
Date: October 2014
Influence: 30,000 units of investor login credentials
In October 2014, a suspected ISIS hacker group hacked the networks of the Warsaw Inventory Trade and rendered their web site unavailable for 2 hours.
Furthermore, the group additionally stole server IP addresses and infrastructure maps of WSN (wi-fi sensor networks), which confirms that they efficiently gained unauthorized entry. The alternate’s officers, although, claimed that the buying and selling system was not compromised.
First believed to be affiliated with ISIS mercenaries, the hacker group posted a be aware on the inventory alternate’s web site stating that the cyber assault was a retaliation for Poland’s involvement in bombing the Islamic State areas in Iraq and Syria.
Nonetheless, NATO officers claimed that the group was truly associated to APT 28, a Russia-backed group of cybersecurity consultants allegedly related to the GRU.
There is no such thing as a data as to how the hacker group accessed the inventory alternate’s networks. The one recognized reality is that they exploited a vulnerability within the alternate’s net portal that served as a prototype for a brand new buying and selling platform. On the similar time, additionally they infiltrated the inventory alternate’s public funding simulator.
6. Well being Service Government of Eire
Date: Might 2021
Influence: 520 sufferers and HSE employees, stolen confidential company knowledge, a whole shutdown of HSE native and nationwide networks
On Might 14, 2021, one in every of Eire’s largest medical techniques, the Well being Service Government (HSE), suffered a significant ransomware assault, the biggest recognized safety incident in opposition to an Irish state company system so far. The assault disrupted the IT techniques of a number of Irish hospitals and encrypted their database, forcing them to return to utilizing paper-based information.
The hacker group that launched this cyber assault was recognized to be the Russian-based “Wizard Spider” hacker group, which demanded €16.5 million to decrypt the information and never expose the information to the general public. Based on the Nationwide Cyber Safety Centre, the perpetrators used the penetration testing software Cobalt Strike to contaminate the HSE’s techniques and a quick and complicated ransomware sort referred to as Conti to encrypt an unknown quantity of information and medical information.
The Irish authorities warned that the stolen medical information may be bought to different criminals to defraud and blackmail the sufferers. A wide range of knowledge was stolen, together with:
Private dataMedical recordsHSE company and administrative dataCommercial knowledge
Cybersecurity consultants remarked that the HSE’s IT infrastructure was dangerously outdated, with 80,000 of the units linked to the HSE’s central servers nonetheless working on Home windows XP. Moreover, a evaluate of the healthcare system discovered that the system was extraordinarily fragmented, with dozens of well being boards, hospital teams, and group organizations working on a number of techniques.
By the top of September, 5 months after the incident was found, at the very least 95% of the HSE’s techniques had been efficiently decrypted and restored. The Chief Government of the HSE, Paul Reid, estimated that the price of the cyber assault would exceed €600 million.
7. COSMOTE Cellular Telecommunications
Date: September 2020
Influence: 4.8 million prospects, 48 GB of information stolen
Greece’s largest cell operator, Cosmote Cellular Telecommunications, suffered a social engineering assault in September 2020 during which prospects’ private knowledge was uncovered.
Upon additional investigations, it was revealed that the agency had been illegally processing buyer knowledge in accordance with GDPR necessities. The compromised knowledge wasn’t totally encrypted, which enabled hackers to establish prospects from the stolen knowledge. Moreover, COSMOTE didn’t notify the affected subscribers of the information breach as required by the GDPR.
In complete, the positional knowledge and private particulars of subscribers, together with listing knowledge from virtually 7 million customers from different suppliers that communicated with COSMOTE subscribers, had been uncovered.
Finally, The HDPA (Hellenic Knowledge Safety Authority) fined COSMOTE Cellular Telecommunications €6 million for a number of violations. Moreover, the OTE group, COSMOTE’s mother or father firm, was additionally fined €3.25 million for incomplete safety measures and failing to implement the required cybersecurity infrastructure to forestall knowledge safety breaches, as reported by Greek media.
8. Bulgarian Nationwide Income Company
Date: July 2019
Influence: 5 million citizen information, 21 GB of information
In August 2019, the Bulgarian NRA (Nationwide Income Company) suffered an information breach involving the delicate data of roughly 5 million residents, Bulgaria’s largest private knowledge breach so far. It was suspected that hackers used a SQL injection assault to infiltrate techniques. The info that was leaked included:
Wage and income recordsNational identification numbersTax paymentsSocial safety informationPersonal debt informationHealth and pension paymentsUser data from on-line playing web sites
The Bulgarian DPA (Knowledge Safety Authority), Bulgaria’s main knowledge safety authority, issued the NRA a €2.6 million high-quality (5.1 million Bulgarian leva) for failing to take the required steps and measures to guard private knowledge and failing to conduct a correct danger evaluation of their knowledge processing operations. Moreover, a part of the 11 GB of stolen delicate knowledge was leaked on numerous media platforms in Bulgaria.
The investigation additionally revealed that Bulgarian officers didn’t take the incident significantly and didn’t take enough motion to restrict the assault. Moreover, the World Discussion board on Transparency and Trade of Info for Tax Functions stopped exchanging data with Bulgaria, which included nations like Switzerland, Germany, Singapore, and extra.
9. Dutch authorities
Date: March 2020
Influence: 6.9 million information of registered organ donors
Unknown thieves stole two arduous drives from the vault storage of the Dutch authorities that contained the private knowledge of roughly 6.9 million registered organ donors, virtually half of the inhabitants of the Netherlands.
Based on officers from the Dutch Ministry of Well being, the drives included digital copies of the donors’ ID numbers, names, gender, signatures, and phone particulars from the Dutch Donor Register between February 1998 and June 2010.
Dutch authorities state that the 2 discs went lacking when employees started to purge outdated paper varieties and take away digital information, which had been final utilized in 2016. The authorities reassure that it’s unlikely that the information will likely be used for fraud, as there aren’t any copies of full IDs, and no proof of exploits surfaced on the darkish net or on-line boards.
10. Kingfisher Insurance coverage
Date: October 2022
UK’s Kingfisher Insurance coverage states that their IT techniques had been penetrated by the notorious ransomware cartel LockBit, with Kingfisher promptly shutting the servers down after figuring out the cyber incident. The cybercriminals acknowledged that that they had efficiently obtained 1.4 TB of firm knowledge, together with buyer knowledge and worker particulars.
Afterward, Kingfisher’s IT employees rapidly blocked exterior entry and shut down servers after the cyber assault. A Kingfisher spokesperson additionally made a press release that safety measures had already been put in place and had been in a position to mitigate any vital affect from the incident.
11. Scottish Environmental Safety Company (SEPA)
Date: December 2020
Influence: 1.2 GB of information (over 4000 information)
At precisely 00:01 on Christmas Eve, 2020, SEPA (Scottish Environmental Safety Company) suffered a ransomware assault by the Conti ransomware group, shutting off techniques, impacting inner controls, and demanding a ransom to unlock the techniques.
The information that had been stolen included:
Enterprise data (web site permits, authorizations, enforcement notices, company plans)Procurement informationProject informationStaff and worker data
On January 22, the group revealed roughly 4,000 knowledge information on the darkish net without cost after the company refused to pay the ransom. Senior management from SEPA acknowledged {that a} full restoration would take vital time, cash, and sources to attain. In response, SEPA rebuilt its IT system structure from the bottom up, accelerating beforehand already-in-place plans to reform its IT techniques.
12. Norfund
Date: March 2020
Influence: $10 million misplaced
Norfund states that the hackers manipulated communications, impersonated licensed employees to make funds, and falsified confidential data, paperwork, and cost particulars between a borrowing establishment and the funding fund.
The hackers cunningly mimicked their use of language with out inflicting suspicion between events and efficiently intercepted the $10 million mortgage deliberate for a Cambodian microfinance establishment. The cash was despatched to a Mexican checking account with the identical title because the Cambodian establishment.
Norfund teamed with PwC, native authorities, and the Norway Ministry of Overseas affairs to establish the criminals and recuperate the cash. Nonetheless, it’s unclear if the cash was recovered.
13. Loqbox
Date: February 2020
Influence: Unspecified quantity of buyer monetary knowledge
UK credit score rating builder and monetary establishment Loqbox was the sufferer of a “complex and sophisticated” knowledge breach on February 20, 2020. Though the supply and technique of the breach had been unspecified, Loqbox was criticized for delaying notifications to affected prospects for over every week after discovering the incident.
The compromised knowledge included:
NamesAddressesUser account detailsDates of birthEmailsPhone numbersIncomplete checking account numbersPayment card dates
LoqBox acknowledged that the purchasers’ funds are safe and unaffected, however there’s an opportunity that the primary six and final 4 bank card digits can also be compromised and utilized in phishing scams. Though Loqbox acknowledged the assault and supplied sources for buyer safety, additionally they mentioned there can be no compensation supplied for misplaced knowledge.
14. Travelex
Date: December 2019
Influence: 5 GB of buyer knowledge, $2.3 million ransom
London-based overseas alternate firm large, Travelex, was a goal of a Sodinokibi ransomware assault, with perpetrators demanding $6 million to revive their techniques again on-line.
Based on reviews, the cyber attackers used an unpatched VPN exploit to entry Travelex’s techniques, steal 5 GB of buyer knowledge, and execute a ransomware assault by disrupting operations. The hackers additionally threatened to publish the compromised buyer knowledge if their calls for weren’t met inside two days.
The assault affected the agency’s alternate companies that branched between main banks, like Barclays and Lloyds, who used Travelex’s companies. In complete, Travelex techniques had been down for practically two weeks and skilled enterprise disruptions for greater than a month after the incident.
It was reported that Travelex finally caved to calls for and paid the Sodinokibi legal group $2.3 million in Bitcoin to recuperate their knowledge. Nonetheless, simply seven months later, Travelex introduced they needed to lay off 1309 staff because of the assault.
15. Cayman Nationwide Financial institution (Isle of Man)
Date: November 2019
Influence: 2 TB of information
The Cayman Nationwide Company introduced that the information theft was contained inside the Isle of Man department and didn’t have an effect on the principle Cayman Nationwide Financial institution operations or techniques.
The group Phineas Fisher launched a manifesto shortly after, saying they “robbed a bank to give the money away” and even provided a $100,000 reward to different hackers to comply with swimsuit and steal high-profile company paperwork. It’s unclear if Cayman Nationwide Financial institution prospects had been affected by the information breach.
16. Binance
Date: October 2022
Influence: $570 million stolen
Binance, the world’s largest cryptocurrency alternate Binance suffered a $570 million token theft in a collection of assaults focusing on blockchain vulnerabilities. The vulnerability allowed hackers to forge transactions and create 2 million faux BNB tokens on the community, valued at $570 million.
Nonetheless, Binance was in a position to rapidly include the state of affairs and notified the community validators to droop operations. Nonetheless, roughly $100 million of funds remained unrecovered. Present Binance prospects had been largely unaffected as a result of the tokens had been falsely generated somewhat than stolen from accounts. Nonetheless, the hack represented rising uncertainty within the security of the cryptocurrency world.
17. Wonga
Date: April 2017
Influence: 245,000 customers
Wonga, a payday mortgage agency based mostly within the UK, suffered an information leak that affected as much as 245,000 prospects. The uncovered consumer knowledge included names, addresses, checking account numbers, the final 4 digits of cost card numbers, and kind codes. On high of that, a further 25,000 customers from Poland had been additionally affected.
Though Wonga didn’t launch the tactic of assault and the way the breach occurred, they don’t consider accounts had been compromised. Probably affected prospects had been suggested to vary the passwords on their accounts.
18. Evercore
Date: December 2018
Influence: 160,000 knowledge objects
An Evercore consultant acknowledged that there was no proof that the information was publicly discovered or misused, claiming that the perpetrator almost certainly sought to realize entry to the administrator’s handle e-book for additional phishing makes an attempt.
19. Tesco
Date: November 2016
Influence: 40,000 financial institution accounts compromised, £2.26 million stolen from 9000 financial institution accounts
In November 2016, UK-based retail financial institution Tesco suffered a card knowledge theft after thieves exploited vulnerabilities of their card issuing process, permitting them to simply guess card numbers. The unknown criminals managed to extract £2.26 million from roughly 9,000 prospects, roughly making up 6% of the financial institution’s buyer base.
Based on cybersecurity consultants, the attackers utilized an algorithm to generate attainable combos to match Tesco’s starting figuring out numbers, exploiting Tesco’s sequential card quantity deficiency. Moreover, the financial institution was discovered to produce other catastrophic safety flaws, reminiscent of its debit card design and defective authorization system.
For failing to satisfy safety requirements and deficiency of their financial institution card coverage, the UK’s Monetary Conduct Authority (FCA) fined Tesco £33 million. As a result of Tesco cooperated with the FCA, the penalty was later lowered to £16.4 million. Tesco additionally reimbursed any affected prospects and compensated them for the inconvenience whereas additionally promising to implement enhanced safety measures.
20. Japanese European banks
Date: December 2018
Influence: Tens of tens of millions of {dollars} in stolen funds
A number of Japanese European banks had been the goal of a collection of surprising cyber assaults that concerned linked digital units that had been discovered contained in the banks. Hackers associated to the DarkVishnya financial institution heist focused at the very least eight banks to steal tens of tens of millions of {dollars}.
The hacker group bodily accessed premises to attach USBs, laptops, and different digital units to scan the financial institution’s native community. They then discovered entry to public shared folders and net servers and logged themselves into the banks’ techniques, finally infecting the system with malware.
Allegedly, the group had disguised themselves as potential staff trying to find a place to realize entry to the financial institution’s bodily premises the place techniques are current. As soon as they accessed the financial institution’s infrastructure, the attackers might provoke withdrawals utilizing overseas ATMs linked to the financial institution’s cost processor. In addition they used stolen credentials to quickly bypass danger scores and overdraft limits to concurrently make money withdrawals.
The precise variety of the whole damages, stolen knowledge, and stolen cash are unknown, however the assaults could have transferred funds and prompted estimated damages of as much as tens of tens of millions in US {dollars}.
21. Allianz Life Insurance coverage Firm
Date: July 2025
Influence: Over 1 million individuals in danger, delicate knowledge misplaced on a majority of consumers
The insurance coverage large, which operates throughout Europe, confirmed a cyberattack that resulted within the lack of delicate buyer knowledge.
The assault occurred when an unauthorized actor accessed a third-party Buyer Relationship Administration (CRM) system the corporate makes use of. The incident highlights the rising dangers related to third-party vendor relationships.
