Timeline of GDPR Breaches
Personal data breach incidents registered in Europe during the first two months of GDPR.
By the 6th of June, more than 1,300 “concerns or complaints” have been made to the Data Protection Commission since the General Data Protection (GDPR) came into force, while firms had already logged 60 breaches of people’s personal data. The timeline below offers an overview of Cyber Incidents in Europe since 25th of May 2018, when GDPR came into force, until the end of July.
2nd June – Denmark
The Open Ledger group cautioned their customers that it was unsafe to use their domain and sign into their accounts, even when the URL appeared to be trustworthy. Malicious actors duplicated the website hoping to phish user credentials. As a result, deposits, withdrawals, trading, and transfer operations remained suspended.
13th June – UK
As the incident entered the public domain, Dixons Carphone, one of Europe’s largest retailers of electronics, disclosed about a data breach involving 5.9 million payment cards and 1.2 million personal records. As of 6th of August, the number was in fact 10 million records, but no payment cards or bank details were affected.
23rd June 2018 – UK
Ticketmaster, part of the Live Nation Entertainment group, declared that malware on a customer support product hosted by Inbenta Technologies (an external third-party supplier) was exporting UK customers’ data to an unknown third-party. As a result, some of its customers’ personal or payment information may have been accessed by this third party. The company is facing questions regarding a delay in reporting this incident, as it emerged that some UK banks had known about it since April.
2nd July – UK
The NHS accidentally disclosed data on 150,000 patients who did not agree to share their personal information. Hundreds of organisations, including some private companies, had access to records from all the patients affected by this error. The data breach, which stretches back three years to March 2015, was caused by a coding error by a major IT supplier to the NHS. The error only came to light when TTP, the host of the electronic records for nearly 50% of all patients in England, switched to a new coding system at the end of June.
3rd July – UK
People who applied for jobs at one of the companies belonging to the Bedfordshire-headquartered Whitbread (including Costa Coffee and Premier Inn) have had their data exposed due to a data breach incident which involved the hacking of their Page Up website. The stolen information included names, email addresses, physical addresses, telephone numbers, and detailed employment information of the applicants.
4th July – Denmark
Berlingske, a Danish daily newspaper, received bank statements from 20 companies that held accounts at Danske Bank’s scandal-ridden Estonian branch between 2007 and 2015. The leak affected more than 43,000 transactions. Moreover, various examples pointed to money laundering, including 132 transactions to real estate agents for lavish properties, 24 to sellers of diamonds and precious stones; and 25 to purveyors of luxury cars.
9th July – International
Names, email addresses, phone numbers, and encryption keys of about 21 million users that enable Timehop to read and show social media posts were stolen.
9th July – Norway
Using only a booking reference number, Norwegian programmer Roy Solberg came across an enumeration bug that leaked the full names of all travellers on a booking, along with the email addresses they used, and flight details from Thomas Cook Airlines’ systems. Solberg reckoned on Sunday that data of bookings made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark, and Apollo Norway were affected by this vulnerability. Data going back to 2013 was obtainable before this hole was closed.
20th July – UK (Northern Ireland)
Northern Ireland’s Police forces are investigating allegations of a data breach that handled personal details of citizens to suspected loyalist paramilitaries.
Strategies to stay ahead of all existing and upcoming regulations, as well as other legal issues affecting Cyber Security in the Nordic Region, will be discussed at the NordX Summit in Copenhagen, February 12th and 13th 2019.
For more information, please visit: www.cyberseries.io/nordX