The cyber threat landscape in Europe continues to evolve, with cyber attacks targeting multiple institutions across the EU. The worrying aspect is that many breaches also go unreported, as European businesses often do not report an incident for fear of their reputation being tarnished and instead opt to manage the fallout internally.
With the GDPR (General Data Protection Regulation) handing out record amounts of fines, it’s up to European businesses to quickly assess their cybersecurity capabilities and implement policies and protections adequate enough to meet worldwide data security standards.
It’s important for businesses to learn from as many incidents as possible to collectively improve their data security and data privacy practices, as well as gain insight on how to prevent data theft. This article will include a list of the biggest data breaches in Europe to date, how businesses were affected, and how they could have prevented the issues.
Top 20 Biggest Data Breaches in Europe
Here is a list of the top data breaches to occur in Europe:
1. British Airways
Date: June 2018 – September 2018
Impact: 380,000 to 500,000 customers
British Airways suffered a data breach that compromised the data and credit card details of roughly 380,000 to 500,000 customers in the summer of 2018. The hackers stole names, addresses, emails, credit card numbers, and card security codes.
The ICO (Information Commissioner's Office), an equivalent of Europe’s DPC and the body that upholds data privacy laws in the UK, confirmed the attack after noticing the airlines’ website was diverted to a false hackers’ site.
According to data security experts, a supply chain attack on third-party payment services on the British Airways’ website was used via a malicious JavaScript code injection that siphoned payment data to unknown attackers. This method has been confirmed judging by how the compromised data included CVV codes that, according to PCI-DSS standards, weren’t stored but processed when payments were made, which rendered database access unlikely.
The ICO issued a £183 million fine, the biggest fine levied as of 2018, but in October 2020, British Airways ended up paying a significantly lower sum of merely £20 million ($26 million) for failing to protect the personal records and financial data of customers and affected data subjects.
2. European Central Bank
Date: July 2014
Impact: 20,000 email addresses
On July 24, 2014, the ECB (European Central Bank) announced that they had suffered a data breach after unknown bad actors attempted to ransom the stolen data back to the bank on July 21. The hackers breached the bank’s database security and stole 20,000 emails and European event registrants’ contact information.
The bank claims that 95% of the data was encrypted, and the exploited vulnerability was immediately fixed. Besides the emails and contact info, no other data or systems were known to be compromised. It’s speculated that the attack was the result of a brute-force password-cracking attempt to gain access to an unspecified application. Following the incident, the bank contacted all affected parties to reset their passwords for the breached system.
The ECB would later suffer a malware attack in 2018, in which contact information for 500 subscribers was stolen as the Banks’ Integrated Reporting Dictionary (BIRD) was hacked.
3. PrivatBank
Date: July 2014
Impact: 40 million records
In July 2014, Ukraine’s PrivatBank was hacked by a pro-Russian hacker group, CyberBerkut, that stole and published customer data (including banking information, passport information, and personal data), then posted the stolen content on the Russian social media platform VKontakte. The security breach exposed over 40 million records of the bank’s customers.
The hacker group warned the bank’s customers to migrate their transactions to state-owned banks. Allegedly, the motives of the cyber attack were state-sponsored, as the attack was prompted after PrivatBank’s co-owner, Igor Kolomoisky, placed a $10,000 bounty on Russian saboteurs in Ukraine. The hacker group seems to have sought retaliation for the order.
However, in the end, no pro-Russian connections were found. Local cybersecurity experts claim that the cyber attack method was deemed unsophisticated by Russian standards.
4. Latvian State Revenue Service
Date: February 2010
Impact: 7.5 million financial data and tax records of state employees
In February 2010, an unknown hacker leaked confidential information from the Latvian State Revenue Service. Approximately 7.5 million tax records, financial information, and salaries of state employees were leaked periodically to Twitter and a Latvian TV station.
The perpetrator was discovered to be Ilmars Poikans, aka”‘Neo,” part of the “Fourth Awakening People's Army” hacker group, who was arrested and sentenced in 2015. The hacker’s motive was to expose the high salaries of state employees in a one-man whistleblowing operation during a period when Latvia had high unemployment and poverty rates.
Besides payment details of bank managers and costly bailouts, no other confidential information was leaked. This propelled the Latvian IT researcher into a “Robin Hood” cult status level of popularity.
Ultimately, the Latvian Supreme Court pardoned Poikans in December 2017, and some time afterward, he was sentenced to 100 hours of community service.
5. Warsaw Stock Exchange
Date: October 2014
Impact: 30,000 sets of investor login credentials
In October 2014, a suspected ISIS hacker group hacked the networks of the Warsaw Stock Exchange and rendered their website unavailable for two hours.
The perpetrators stole and exposed login credentials, emails, and passwords of stock brokers, as well as info about employees from prominent firms like JPMorgan and Bank of America. Using the stolen credentials, the group also managed to steal customer data and private data from the private inboxes of stock exchange brokers.
Moreover, the group also stole server IP addresses and infrastructure maps of WSN (wireless sensor networks), which confirms that they successfully gained unauthorized access. The exchange’s officials, though, claimed that the trading system was not compromised.
First believed to be affiliated with ISIS mercenaries, the hacker group posted a note on the stock exchange’s website stating that the cyber attack was a retaliation for Poland’s involvement in bombing the Islamic State regions in Iraq and Syria.
However, NATO officials claimed that the group was actually related to APT 28, a Russia-backed group of cybersecurity experts allegedly associated with the GRU.
There is no information as to how the hacker group accessed the stock exchange’s networks. The only known fact is that they exploited a vulnerability in the exchange’s web portal that served as a prototype for a new trading platform. At the same time, they also infiltrated the stock exchange’s public investment simulator.
6. Health Service Executive of Ireland
Date: May 2021
Impact: 520 patients and HSE staff, stolen confidential corporate data, a complete shutdown of HSE local and national networks
On May 14, 2021, one of Ireland’s largest medical systems, the Health Service Executive (HSE), suffered a major ransomware attack, the largest known security incident against an Irish state agency system to date. The attack disrupted the IT systems of several Irish hospitals and encrypted their database, forcing them to return to using paper-based records.
The hacker group that launched this cyber attack was identified to be the Russian-based “Wizard Spider” hacker group, which demanded €16.5 million to decrypt the data and not expose the data to the public. According to the National Cyber Security Centre, the perpetrators used the penetration testing tool Cobalt Strike to infect the HSE’s systems and a fast and sophisticated ransomware type known as Conti to encrypt an unknown amount of data and medical records.
The Irish government warned that the stolen medical records might be sold to other criminals to defraud and blackmail the patients. A variety of data was stolen, including:
- Personal data
- Medical records
- HSE corporate and administrative data
- Commercial data
Cybersecurity experts remarked that the HSE’s IT infrastructure was dangerously outdated, with 80,000 of the devices connected to the HSE’s central servers still operating on Windows XP. Additionally, a review of the healthcare system found that the system was extremely fragmented, with dozens of health boards, hospital groups, and community organizations operating on multiple systems.
By the end of September, five months after the incident was discovered, at least 95% of the HSE’s systems were successfully decrypted and restored. The Chief Executive of the HSE, Paul Reid, estimated that the cost of the cyber attack would exceed €600 million.
7. COSMOTE Mobile Telecommunications
Date: September 2020
Impact: 4.8 million customers, 48 GB of data stolen
Greece’s largest mobile operator, Cosmote Mobile Telecommunications, suffered a social engineering attack in September 2020 in which customers’ personal data was exposed.
Upon further investigations, it was revealed that the firm had been illegally processing customer data according to GDPR requirements. The compromised data wasn’t fully encrypted, which enabled hackers to identify customers from the stolen data. Furthermore, COSMOTE failed to notify the affected subscribers of the data breach as required by the GDPR.
In total, the positional data and personal details of subscribers, along with directory data from almost 7 million users from other providers that communicated with COSMOTE subscribers, were exposed.
Ultimately, The HDPA (Hellenic Data Protection Authority) fined COSMOTE Mobile Telecommunications €6 million for multiple violations. Additionally, the OTE group, COSMOTE’s parent company, was also fined €3.25 million for incomplete security measures and failing to implement the required cybersecurity infrastructure to prevent data security breaches, as reported by Greek media.
8. Bulgarian National Revenue Agency
Date: July 2019
Impact: 5 million citizen records, 21 GB of data
In August 2019, the Bulgarian NRA (National Revenue Agency) suffered a data breach involving the sensitive information of approximately five million citizens, Bulgaria’s biggest personal data breach to date. It was suspected that hackers used a SQL injection attack to infiltrate systems. The data that was leaked included:
- Salary and revenue records
- National identification numbers
- Tax payments
- Social security information
- Personal debt information
- Health and pension payments
- User information from online gambling websites
The Bulgarian DPA (Data Protection Authority), Bulgaria's primary data protection authority, issued the NRA a €2.6 million fine (5.1 million Bulgarian leva) for failing to take the necessary steps and measures to protect personal data and failing to conduct a proper risk assessment of their data processing operations. Additionally, part of the 11 GB of stolen sensitive data was leaked on various media platforms in Bulgaria.
The investigation also revealed that Bulgarian officials did not take the incident seriously and failed to take sufficient action to limit the attack. Furthermore, the Global Forum on Transparency and Exchange of Information for Tax Purposes stopped exchanging information with Bulgaria, which included countries like Switzerland, Germany, Singapore, and more.
9. Dutch government
Date: March 2020
Impact: 6.9 million records of registered organ donors
Unknown thieves stole two hard drives from the vault storage of the Dutch government that contained the personal data of approximately 6.9 million registered organ donors, almost half of the population of the Netherlands.
According to officials from the Dutch Ministry of Health, the drives included electronic copies of the donors’ ID numbers, names, gender, signatures, and contact details from the Dutch Donor Register between February 1998 and June 2010.
Dutch authorities state that the two discs went missing when staff began to purge outdated paper forms and remove electronic records, which were last used in 2016. The authorities reassure that it’s unlikely that the data will be used for fraud, as there are no copies of full IDs, and no evidence of exploits surfaced on the dark web or online forums.
10. Kingfisher Insurance
Date: October 2022
Impact: 1.4 TB of company data, employee emails, and customer data
UK’s Kingfisher Insurance states that their IT systems were penetrated by the infamous ransomware cartel LockBit, with Kingfisher promptly shutting the servers down after identifying the cyber incident. The cybercriminals stated that they had successfully obtained 1.4 TB of company data, including customer data and employee details.
The firm refutes that the hackers could have stolen such an amount of data, reassuring that it’s “impossible for the criminal group behind this incident to have taken 1.4 TB of data from the servers they indicate.” However, the threat actors leaked several email addresses and passwords of high-ranking Kingfisher Insurance employees in response.
Afterward, Kingfisher’s IT staff quickly blocked external access and shut down servers after the cyber attack. A Kingfisher spokesperson also made a statement that security measures had already been put in place and were able to mitigate any significant impact from the incident.
11. Scottish Environmental Protection Agency (SEPA)
Date: December 2020
Impact: 1.2 GB of data (over 4000 files)
At exactly 00:01 on Christmas Eve, 2020, SEPA (Scottish Environmental Protection Agency) suffered a ransomware attack by the Conti ransomware group, shutting off systems, impacting internal controls, and demanding a ransom to unlock the systems.
The files that were stolen included:
- Business information (site permits, authorizations, enforcement notices, corporate plans)
- Procurement information
- Project information
- Staff and employee information
On January 22, the group published approximately 4,000 data files on the dark web for free after the agency refused to pay the ransom. Senior leadership from SEPA acknowledged that a full recovery would take significant time, money, and resources to achieve. In response, SEPA rebuilt its IT system architecture from the ground up, accelerating previously already-in-place plans to reform its IT systems.
12. Norfund
Date: March 2020
Impact: $10 million lost
On May 13, Norfund, Norway's state-owned investment fund for developing countries and the world’s largest sovereign wealth fund, revealed that it was a victim of a $10 million BEC (business email compromise) scam — one of the biggest and “cleanest” heists in cybersecurity history.
Allegedly, unknown scammers had breached the investment fund’s email systems and had been intercepting messages. They had learned how the investment fund communicates and operates, patiently monitoring their communications and gathering information for months to pull the heist off.
Norfund states that the hackers manipulated communications, impersonated authorized staff to make payments, and falsified confidential information, documents, and payment details between a borrowing institution and the investment fund.
The hackers cunningly mimicked their use of language without causing suspicion between parties and successfully intercepted the $10 million loan planned for a Cambodian microfinance institution. The money was sent to a Mexican bank account with the same name as the Cambodian institution.
Norfund teamed with PwC, local authorities, and the Norway Ministry of Foreign affairs to identify the criminals and recover the money. However, it is unclear if the money was recovered.
13. Loqbox
Date: February 2020
Impact: Unspecified amount of customer financial data
UK credit score builder and financial institution Loqbox was the victim of a “complex and sophisticated” data breach on February 20, 2020. Although the source and method of the breach were unspecified, Loqbox was criticized for delaying notifications to affected customers for over a week after discovering the incident.
The compromised data included:
- Names
- Addresses
- User account details
- Dates of birth
- Emails
- Phone numbers
- Incomplete bank account numbers
- Payment card dates
LoqBox stated that the customers’ funds are secure and unaffected, but there’s a chance that the first six and last four credit card digits may also be compromised and used in phishing scams. Although Loqbox acknowledged the attack and provided resources for customer protection, they also said there would be no compensation provided for lost data.
14. Travelex
Date: December 2019
Impact: 5 GB of customer data, $2.3 million ransom
London-based foreign exchange company giant, Travelex, was a target of a Sodinokibi ransomware attack, with perpetrators demanding $6 million to restore their systems back online.
According to reports, the cyber attackers used an unpatched VPN exploit to access Travelex’s systems, steal 5 GB of customer data, and execute a ransomware attack by disrupting operations. The hackers also threatened to publish the compromised customer data if their demands weren’t met within two days.
The attack affected the firm’s exchange services that branched between major banks, like Barclays and Lloyds, who used Travelex’s services. In total, Travelex systems were down for nearly two weeks and experienced business disruptions for more than a month after the incident.
It was reported that Travelex eventually caved to demands and paid the Sodinokibi criminal group $2.3 million in Bitcoin to recover their data. However, just seven months later, Travelex announced they had to lay off 1309 employees as a result of the attack.
15. Cayman National Bank (Isle of Man)
Date: November 2019
Impact: 2 TB of data
UK-based Cayman National Bank and Trust Company suffered a data breach in their Isle of Man branch in November 2019. Black hat hacker group Phineas Fisher claimed responsibility for the attack, citing almost 2 TB of data stolen. The data included information on the bank’s 1400 customers, which included almost 640,000 emails and 3800 bank accounts.
The Cayman National Corporation announced that the data theft was contained within the Isle of Man branch and did not affect the main Cayman National Bank operations or systems.
The group Phineas Fisher released a manifesto shortly after, saying they “robbed a bank to give the money away” and even offered a $100,000 reward to other hackers to follow suit and steal high-profile corporate documents. It is unclear if Cayman National Bank customers were affected by the data breach.
16. Binance
Date: October 2022
Impact: $570 million stolen
Binance, the world’s biggest cryptocurrency exchange Binance suffered a $570 million token theft in a series of attacks targeting blockchain vulnerabilities. The vulnerability allowed hackers to forge transactions and create 2 million fake BNB tokens on the network, valued at $570 million.
However, Binance was able to quickly contain the situation and notified the network validators to suspend operations. However, roughly $100 million of funds remained unrecovered. Existing Binance customers were largely unaffected because the tokens were falsely generated rather than stolen from accounts. Nevertheless, the hack represented growing uncertainty in the safety of the cryptocurrency world.
17. Wonga
Date: April 2017
Impact: 245,000 users
Wonga, a payday loan firm based in the UK, suffered a data leak that affected up to 245,000 customers. The exposed user data included names, addresses, bank account numbers, the last four digits of payment card numbers, and sort codes. On top of that, an additional 25,000 users from Poland were also affected.
Although Wonga did not release the method of attack and how the breach occurred, they do not believe accounts were compromised. Potentially affected customers were advised to change the passwords on their accounts.
18. Evercore
Date: December 2018
Impact: 160,000 data objects
Evercore, a global investment banking firm and mergers and acquisitions leader, suffered a phishing attack that led to the theft of 160,00 data records. The hackers targeted the bank’s junior administrators in a phishing attack, accessing their inboxes and successfully stealing confidential information, including company documents, important emails, and upcoming M&A deals.
An Evercore representative stated that there was no evidence that the data was publicly found or misused, claiming that the perpetrator most likely sought to gain access to the administrator’s address book for further phishing attempts.
19. Tesco
Date: November 2016
Impact: 40,000 bank accounts compromised, £2.26 million stolen from 9000 bank accounts
In November 2016, UK-based retail bank Tesco suffered a card data theft after thieves exploited vulnerabilities in their card issuing procedure, allowing them to easily guess card numbers. The unknown criminals managed to extract £2.26 million from approximately 9,000 customers, roughly making up 6% of the bank’s customer base.
According to cybersecurity experts, the attackers utilized an algorithm to generate possible combinations to match Tesco’s beginning identifying numbers, exploiting Tesco’s sequential card number deficiency. Additionally, the bank was found to have other catastrophic security flaws, such as its debit card design and faulty authorization system.
For failing to meet security standards and deficiency in their bank card policy, the UK’s Financial Conduct Authority (FCA) fined Tesco £33 million. Because Tesco cooperated with the FCA, the penalty was later reduced to £16.4 million. Tesco also reimbursed any affected customers and compensated them for the inconvenience while also promising to implement enhanced security measures.
20. Eastern European banks
Date: December 2018
Impact: Tens of millions of dollars in stolen funds
Several Eastern European banks were the target of a series of unusual cyber attacks that involved connected electronic devices that were found inside the banks. Hackers related to the DarkVishnya bank heist targeted at least eight banks to steal tens of millions of dollars.
The hacker group physically accessed premises to connect USBs, laptops, and other electronic devices to scan the bank’s local network. They then found access to public shared folders and web servers and logged themselves into the banks’ systems, ultimately infecting the system with malware.
Allegedly, the group had disguised themselves as potential employees searching for a position to gain access to the bank’s physical premises where systems are present. Once they accessed the bank’s infrastructure, the attackers could initiate withdrawals using foreign ATMs connected to the bank’s payment processor. They also used stolen credentials to temporarily bypass risk ratings and overdraft limits to simultaneously make cash withdrawals.
The exact number of the total damages, stolen data, and stolen money are unknown, but the attacks may have transferred funds and caused estimated damages of up to tens of millions in US dollars.