Top 20 Largest-Ever Cyberattacks in Europe

British Airways

• When: June 2018 – September 2018
• What: The personal and credit card data of 380,000 – 500,000 customers were accessed by hackers. The data included names, emails, addresses, credit card numbers, and card security codes
• How: A Supply-Chain Attack on a third-party payment service on the British Airways’ official website

Between June and September 2018, the website of British Airways was infiltrated by hackers via a supply chain attack. A JavaScript code injection was used on a third-party payment service on the website.

This led to the unauthorized access of payment and personal data to the cybercriminals. Around 380,000 – 500,000 customers were affected in the data breach.

The ICO (British DPA) initially issued a fine of £183 million (€212 million) but British Airways paid only £20 million (€23.2 million) in October 2020 when the claim was settled.

The fine was reduced because British Airways representatives argued that the fine should be “significantly reduced or not imposed at all” due to the financial difficulties the company was going through during the COVID lockdowns.

European Central Bank

• When: July 2014
• What: Approximately 20,000 emails and the contact information of European event registrants
• How: Ransomware attack via a brute-force password attack

On July 2014, the European Central Bank suffered a data breach that resulted in cybercriminals gaining access to over 20,000 emails and the contact information of European event registrants.

According to the bank, around 95% of the stolen data was encrypted. The vulnerability in their security systems was fixed as soon as the data breach was noticed. Moreover, the bank notified all affected individuals to reset their passwords.

The hackers used a brute-force attack to crack the bank’s database password and then demanded a ransom from the bank in exchange for the data. The European Central Bank did not pay this ransom.

Four years later, in 2018, the European Central Bank would become the victim of a malware attack. The hackers infiltrated the ECB’s Integrated Reporting Dictionary and stole the contact information of 500 subscribers.

PrivatBank

• When: July 2014
• What: 40 million customer records (passport information, banking information, and personal data)
• How: Exposing gaps in the bank’s cybersecurity systems

On July 2014, the largest Ukrainian bank, PrivatBank, suffered a data breach when it was attacked by CyberBerkut, a pro-Russian hacker group.

Following the breach, 40 million customer records were stolen and published online on the Russian social media platform VKontakte.

The data contained personal data, passport information, and banking information of the bank’s customers.

The hacker group warned all customers of PrivatBank to switch to a state-owned bank. Though, it’s unclear whether this happened before or after the cyberattack took place.

At the time, it was suspected that the cyberattack was state-sponsored by Russia but no connections were ever found. Moreover, some cybersecurity experts claimed that the method used in the cyberattack was unlike those used by Russian hackers.

Latvian State Revenue Service

• When: February 2010
• What: 7.5 million tax records and financial data entries of state employees
• How: Specific method used unknown

In February 2010, a hacker who was ultimate identified as Ilmars Poikans (“Neo”) hacked the databases of the Latvian State Revenue Service. He leaked confidential information totaling 7.5 million tax records and financial data entries of state employees.

He then leaked this data on Twitter and a Latvian TV station. It is suspected that he did this to expose the high salaries of state employees. The hacker was part of the “Fourth Awakening People’s Army”, a group known for its ideological-based cyberattacks.

The only confidential information leaked contained costly bailouts and the payment details of bank managers. After the identity of the hacker was revealed, the Latvian Supreme Court pardoned him.

He was only sentenced to 100 hours of community service.

Warsaw Stock Exchange

• When: October 2014
• What: The networks of the Warsaw Stock Exchange, rendering the site unavailable for two hours
• How: Exploitation of a vulnerability in the exchange’s web portal

On October 2014, the official website of the Warsaw Stock Exchange became inaccessible to the public for two hours.

Hackers had infiltrated the organization’s website, locking it down. They had also stolen and made public emails, login credentials, and passwords of stock brokers and employees from the Bank of America, JPMorgan, and other similar firms.

The group also stole infrastructure maps and IP addresses of the wireless sensor networks of the organization. These would show that unauthorized access had indeed taken place.

Eventually, NATO officials discovered that the group was a Russia-backed conglomerate of cybersecurity experts associated with the Russian GRU. The damage to the GPW was not extensive because the trading system had not been compromised.

Health Service Executive of Ireland

• When: May 2021
• What: Confidential corporate data was stolen, the IT systems of several hospitals were disrupted, their databases were encrypted, personal and commercial data stolen, and medical records were also stolen
• How: The Cobalt Strike penetration testing tool was used to infiltrate the systems, which were then encrypted using the sophisticated ransomware program “Conti”

On May 14 2021, the Health Service Executive, which is among the biggest medical systems in Ireland, was hacked by the Russian-based cybercriminal group known as “Wizard Spider”.

They demanded €16.5 million in ransom to decrypt and return all the data and medical records they’ve stolen. They threatened to disclose the data publicly if their demands were not met.

At the time, it was noted that 80,000 of the devices that were connected to the Health Service Executive’s servers were still running on Windows XP. So, their security systems were hardly up-to-date or effective against ransomware.

It was also discovered that the healthcare system was disorganized and fragmented into multiple community organizations, health boards, and hospital groups that were using the same systems.

In approximately four months after the attack, around 95% of the encrypted systems were decrypted and restored. However, it was estimated that the cyberattack would cost the Health Service Executive around €600 million.

COSMOTE Mobile Telecommunications

• When: September 2020
• What: 4.8 million customer data, a total of 48GB of data that was stolen
• How: Social engineering attack on unencrypted data thanks to the ineffective cybersecurity infrastructure of the company

On September 2020, Cosmote Mobile Telecommunications suffered a data breach that resulted in the online theft of personal data of 4.8 million customers. A total of 48GB of data.

The hackers used social engineering to expose the customers’ personal data, which was made easy by the lack of encryption on the processed data. Cosmote did not notify the affected customers as required by the GDPR, which led to a fine of €6 million.

The company was illegally processing the customer data since they had to valid legal reason to do so.

We often see social engineering attacks being the main tool used by hackers to access private data. The human factor is often the most vulnerable link in a company’s security system.

After all, your security system is effective as long as those who enforce it are cautious and aware of the risks involved.

It is not known whether the hackers asked for a ransom or if they sold the data online. Though, going by the usual hacker standards, the data most likely ended up on the Dark Web, sold to the highest bidder.

Bulgarian National Revenue Agency

• When: July 2019
• What: 5 million citizen records, totaling up to 21GB of data
• How: SQL injection attack leading to a massive data breach

On July 2019, the Bulgarian National Revenue Agency (NRA) suffered the biggest personal data breach in its entire history. A total of 21GB of citizen records (over 5 million) were stolen. The data included:

• Tax payments
• Salary and revenue records
• Social security information
• National identification numbers
• Personal debt information
• Health and pension payments
• User information from online gambling sites

The hackers likely used an SQL injection attack to gain access to the NRA’s systems and managed to steal the data without much hassle.

It was discovered that the Bulgarian NRA had not conducted a proper risk assessment before engaging in data processing.

The officials had also not taken the appropriate measures once the data breach had occurred, effectively allowing it to worsen.

This led to a part of the stolen data to be leaked on several social media platforms in Bulgaria. Eventually, the Global Forum on Transparency and Exchange of Information for Tax Purposes stopped working with Bulgaria.

The Bulgarian DPA fined the Bulgarian NRA with €2.6 million in the aftermath of the data breach.

Dutch Government

• When: March 2020
• What: Personal data of 6.9 million registered organ donors from February 1998 to June 2010
• How: Physical theft of two HDDs (hard drives) from the vault storage of the Dutch government

On March 2020, the Dutch government reported that two unidentified individuals had managed to gain access to the vault storage of the government and steal two hard drives.

The hard drives had the personal data records of 6.9 million individuals, which is almost half the population of the entire country.

The personal data included:

• Names
• Gender
• ID numbers
• Signatures
• Contact details

Moreover, the stolen data represented the combined organ donor information of 12 years, between February 1998 and June 2010.

The authorities claimed that the two hard drives were reported missing by the staff who had come to purge the outdated paper forms and remove the electronic records.

The good thing is that the data was not published online, not even on the Dark Web, since authorities had been closely monitoring the situation. Since the data was incomplete, it’s unlikely that it was ever used for fraud.

The worst-case scenario is that it was sold online without alerting the authorities.

This case illustrates the ever-present risk of physical access to a company’s data storage. Even though online infiltration is much more common these days, old fashioned data breaches still happen.

Kingfisher Insurance

• When: October 2022
• What: 1.4TB worth of company data, employee data, and customer data
• How: The hackers used the LockBit ransomware to infiltrate the systems, shut down the servers, and steal the company data

On October 2022, the Kingfisher Insurance company systems were attacked by the LockBit ransomware group. The attackers managed to infiltrate the systems, shut down the databases, and steal 1.4TB of company data.

Immediately after the attack, the IT staff of Kingfisher blocked all external access to the servers and shut them down. A spokesperson for the insurance company claimed that the security measures they had taken were enough to minimize the impact of the data breach substantially.

However, they were the same ones who claimed that the hackers couldn’t have possibly stolen 1.4TB of data. Yet, the hackers then leaked several passwords and email addresses of Kingfisher employees as a response to this allegation.

As it turns out, the hackers had indeed stolen 1.4TB worth of company, employee, and customer data. To date, this remains one of the largest thefts of data in modern history.

The LockBit hacker group have been getting a lot of attention recently after a series of attacks on international firms. One such attack happened on the 8th of September, and the victim was the Hanwha Group. Read more about it here.

Scottish Environmental Protection Agency (SEPA)

• When: December 2020
• What: 1.2GB of data / over 4,000 files containing business information, project information, procurement information, and staff and employee information
• How: Ransomware attack by the Conti ransomware group

On December 2020, the Scottish Environmental Protection Agency (SEPA) was attacked by the Conti ransomware group. The hackers managed to shut off the systems, hijack the internal controls, and steal sensitive information.

The stolen files contained:

• Business information like corporate plans, authorizations, site permits, and enforcement notices
• Project information
• Procurement information
• Employee and staff information

On month later, on January 22nd, the cybercriminals published the stolen files (4,150 in number) on the dark web for free since SEPA refused to pay the ransom.

The CFO of SEPA at the time, Terry A’Heard, clarified that the company was not prepared to give way to criminal extorsion and give in to the demands.

This is what he had to say – “Sadly, we’re not the first and won’t be the last national organization targeted by likely international crime groups. We’ve said that whilst for the time being we’ve lost access to most of our systems, including things as basic as our email system, what we haven’t lost is our twelve-hundred expert staff.”

The company tackled the security breach exemplary, according to experts, since they were transparent about what they were doing to mitigate the impact of the breach. They also refused to pay the ransom, which is laudable by itself.

As a result, SEPA reformed its IT systems from the group up and increased its security to prevent further attacks from happening ever again.

Norfund

• When: March 2020
• What: Theft of $10 million
• How: BEC (business email compromise)

On March 2020, Norfund, a state-owned investment fund in Norway and the largest sovereign wealth fund in the world, became the victim of a business email compromise scam (BEC).

They lost $10 million as a result of this attack, and as of right now, it’s unclear whether the money was recovered or not.

In short, a BEC attack relies on Social Engineering to convince a company to send you money. More specifically, the hackers pretend to be a legitimate party who makes a legitimate request from the company.

At other times, the hackers will hijack the communication between two companies and ensure the legitimacy of their requests.

With Norfund, the criminals accessed, manipulated and falsified the information exchange between Norfund and a microfinance institution in Cambodia. The latter was going to borrow $10 million from Norfund.

Over the course of several months, the hackers learned how the investment fund operates, how they communicate, and they gathered intel patiently.

They did everything by the book and went through all the phases of a scam, including:

• Manipulating communications
• Impersonating authorized staff
• Falsified confidential information, documents, and payment details
• Using social engineering to mimic the same lingo used by employees of the company in their communications

Eventually, the money was sent to the hackers’ recipient account in Mexico on the 16th of March 2020.

DNB, Norway’s largest financial group, had this to say – “Fraud cases of this kind are performed by very sophisticated criminals. With access to e-mail communication between two parties, they can familiarize themselves with how the parties correspond. The payments they initiate therefore deviate very little from ordinary payments performed by the victimized company and become very hard to detect and prevent.”

To date, the Norfund data breach remains the most sophisticated BEC scam in cybersecurity history.

Loqbox

• When: February 2020
• What: Customer financial data
• How: Data breach with unspecific source and method of breach

On February 2020, Loqbox, a UK credit score builder and financial institution was hit by a data breach. The affected user data included:

• Names
• Addresses
• Emails
• Dates of birth
• User account details
• Payment card dates
• Incomplete bank account numbers
• Phone numbers

While Loqbox claimed that the stolen data could not be used to access the customers’ bank accounts, the company was severely criticized for miscommunication during the data breach.

Apparently, they delayed notifying the affected customers by over a week after the incident had taken place.

They also said that they would not compensate the affected customers, even though some of the information (last four credit card digits) could be used in phishing scam attempts.

Despite not knowing the specific method of breach, we should safely assume that it was some type of social engineering attack. There’s a minimal chance of a ransomware since there was no mention at all of a ransom demand from the hackers.

Allegedly, Loqbox has taken some steps to improve their security systems and ensure such data breaches never happen again.

But, as we already know, every security system has its vulnerabilities. And cybercriminals always find them, given enough time and patience.

Travelex

• When: December 2019
• What: 5GB of customer data, a $2.3 million ransom paid to the hackers
• How: Sodinokiki ransomware attack carried out via an unpatched VPN exploit

On December 2019, Travelex became the victim of a ransomware attack by the Sodinokibi group. They locked down the systems, encrypted the files, and demanded $6 million to restore functionality to the platform.

The attacked managed to infiltrate the systems via an unpatched VPN exploit which gave them unrestricted access to the databases.

They stole 5GB of customer data and disrupted operations to the entire company through a ransomware attack. They threatened to go public with the data if the company didn’t pay the ransom in two days.

Eventually, the company paid $2.3 million in Bitcoin to the cybercriminals to recover the customer data. Despite this, their systems experienced malfunctions and disruptions for over a month after this incident.

Seven months after paying the ransom, Travelex reported that they were forced to lay off 1,309 employees to deal with the loss.

This is one of the few examples where the victim caved in to the demands of cybercriminals and paid the ransom.

Cayman National

• When: November 2019
• What: 2TB of data that includes customer data (emails and bank accounts)
• How: Unclassified data breach by black hat group Phineas Fisher

On November 2019, the Cayman National Bank in the Isle of Man suffered a data breach after the black hat hacker group Phineas Fisher attacked them.

A total of 2TB of data was stolen, containing data on the bank’s 1,400 customers. Over 640,000 emails and 3,800 bank accounts were disclosed at this point.

Fortunately, the Cayman National Corporation made an announcement, saying that this data theft was isolated to the Isle of Man branch. It did not impact other operations overseas or other systems of the Cayman National Bank.

After the theft, the Phineas Fisher group released a manifesto. They said that they had “robbed a bank to give the money away”. In support of this, they even released a $100,000 bounty for other hacker groups to follow in their footsteps.

As of right now, it’s unclear how, if any, Cayman National Bank customers were affected by this data breach and whether there were other data breaches as a result.

It’s also unclear how the hackers infiltrated the bank’s systems but it’s safe to say it should have been a social engineering or malware attack.

Binance

• When: October 2022
• What: $570 million stolen in one of the biggest crypto thefts in history
• How: Attacks that targeted specific vulnerabilities in the blockchain network, allowing hackers to create fake transactions

On October 2022, Binance reported a theft of $570 million on their platform. The hackers had created 2 million face BNB tokens and forged the transactions, selling the tokens for $570 million.

They exploited a bridge’s smart contract, allowing them to create transactions and send the tokens to a separate crypto wallet.

Adrian Hetman, the tech lead of the triaging team at Immunefi, said that “As with many bridge designs, there is one central point that holds most of the funds that are moving through the bridge. Ultimately, the Bridge was tricked into giving funds from that contract.”

Fortunately, Binance mitigated further damage by notifying the network validators and suspending all operations of the BNB network. Still, around $100 million are unrecoverable to this day.

Binance did mention that no customers had been affected since the stolen money came from tokens that were created rather than stolen from customers’ accounts.

The Binance hack is the fourth largest crypto hack in history, behind FTX ($600 million), Poly Network ($611 million), and Ronin Network ($625 million).

Wonga

• When: April 2017
• What: Data leak affecting the data of 245,000 users (names, addresses, sort codes, bank account numbers, and the last four digits of the payment card numbers). Over 25,000 Polish users were also affected
• How: Unknown attack method due to Wonga not offering any details about it

On April 2017, the payday loan firm Wonga suffered a data breach. The data of 245,000 users was compromised. This data included the customers’ names, bank account numbers, addresses, sort codes, and the last four digits of the payment card numbers.

Moreover, 25,000 Polish users were also affected, though we don’t know how the data leak impacted them.

Wonga refused to release details about the origins of the data breach or how the hackers managed to infiltrate their systems. However, they did mention that the customers’ accounts likely remained unaffected.

This was a relatively low-level data breach at the time, and due to the limited information at our disposal, there isn’t much more we can say about it.

Evercore

• When: December 2018
• What: Theft of 160,000 data records, including company documents, M&A deals, and important emails
• How: Phishing attack

On December 2018, the global investment banking firm Evercore reported the theft of 160,000 data records following a phishing attack on their servers.

The data included company documents, confidential information, emails, and upcoming M&A deals related to the bank’s junior administrators.

The origin of the phishing attack is unknown, though Evercore mentioned that they hadn’t found any evidence showing that the stolen data was used in any way.

It is likely that the hackers’ goal with this phishing attack was to establish a foothold in the company’s systems for further, more relevant phishing attacks. Fortunately, the institution took notice and mitigated further risks.

Tesco

• When: November 2016
• What: 40,000 compromised bank accounts and £2.26 million stolen from 9,000 bank accounts
• How: Vulnerability exploitation through card data theft that resulted in the theft of £2.26 million from customers

In November 2016, a retail bank in UK (Tesco) was attacked by hackers through card data theft. This resulted in the theft of £2.26 million from customers (9,000 customers), which was about 6% of the bank’s total customers.

The identity of the criminals was never found. However, the FCA (Financial Conduct Authority) made a report detailing how the hackers stole the money from the bank.

The attack took 48 hours. The Bank’s fraud analysis and detection system started blaring about suspicious activities to all the account holders involved in the heist. This was the first phase of the attack, which is when the bank became aware of it.

Customers began calling the bank in droves, filling up the fraud prevention line. The bank’s technicians managed to stop around 80% of the unauthorized transactions. This meant that only 8,261 customers were affected from the 131,000 total customers of the bank.

It is believed that the hackers used an algorithm that created virtual cards with authentic Tesco Bank debit card numbers. Using those virtual carts, they made all the unauthorized transactions which resulted in the theft of £2.26 million.

The incident was deemed “largely avoidable” by the FCA. The debit cards were badly designed, there were a lot of security vulnerabilities in their systems, and the use of sequential PAN numbers made it worse.

The FCA eventually fined the bank £33 million for failing to meet the security standards and having security deficiencies in its systems. The bank also reimbursed all the affected customers.

Eastern European Banks

• When: December 2018
• What: Theft of tens of millions of dollars
• How: Physical infiltration on the bank premises and the installation of USBs, laptops, and other devices to scan the local network of the bank. They found publicly-shared folders, accessed them, and infected the entire system with malware

On December 2018, multiple Eastern European banks fell victim to a large-scale cyberattack that resulted in the loss of tens of millions of dollars.

DarkVishnya hackers had targeted eight banks (that we know of) using a very peculiar method.

The hackers connected physical devices to the banks’ networks and managed to infect the entire network with malware. To do this, the individuals used disguises to mingle in with the banks’ employees and sought to gain access to the network.

Once they managed that, it was only a matter of withdrawing the money through foreign ATMs. They also stole credentials from the bank’s employees that they used to bypass overdraft limits and risk ratings.

This was, by far, one of the most elaborate and well-devised heists in recent history. Moreover, the magnitude of the stolen data and stolen money is still unclear but it is estimated that the losses number in the tens of millions of dollars.

Kaspersky Lab cyber-security firm was called to investigate some of these attacks. They discovered various devices connected to the banks’ networks, like cheap laptops, USB thumb drives (Bash Bunnies), and Raspberry Pi boards.

Nikolay Pankov, an employee of the firm, said that “Even in companies where security issues are taken seriously, planting such a device is not impossible. Couriers, job seekers, and representatives of clients and partners are commonly allowed into offices, so malefactors can try to impersonate any of them.”

It’s also unclear whether the banks received any fines from the GDPR, though we should assume that they did.

Sources

Privacy Affairs – Cybersecurity Deep Dive: Everything About DDoS Attacks
Privacy Affairs – Have Malware Attacks Become More Common?
Privacy Affairs – The Art of Cyber Deception: Social Engineering in Cybersecurity
Privacy Affairs – Cybersecurity Deep Dive: What Is a Supply-Chain Attack?
UpGuard – Top 20 Biggest Data Breaches in Europe
BBC – British Airways Data-Breach Compensation Claim Settled
Imperva – SQL (Structured Query Language) Injection
Privacy Affairs – GDPR Fines Tracker & Statistics
ZDnet – Dutch Government Loses Hard Drives with Data of 6.9 Million Registered Donors
Privacy Affairs – LockBit Ransomware Group Attacks the Hanwha Group and Steals 800GB of Data
BitDefender – Hackers Release Over 4,000 Files Stolen from Scottish Environment Agency in Ransomware Attack
FBI.Gov – Business Email Compromises
Norfund – Norfund Has Been Exposed to a Serious Case of Fraud
MoneySavingExpert – Credit Score Builder Loqbox Hit by Data Breach
The Wall Street Journal – Travelex Paid Hackers Multimillion-Dollar Ransom Before Hitting New Obstacles
CNBC – $570 Million Worth of Binance’s BNB Token Stolen in Another Major Crypto Hack
Privacy Affairs – Why Is Phishing so Common & How to Protect Against It?
ZDnet – This Is How Cyber Attackers Stole £2.26m from Tesco Bank Customers
Investopedia – Primary Account Number (PAN): What It Is & How It Works on Cards
ZDnet – Eastern European Banks Lose Tens of Millions of Dollars in Hollywood-Style Hacks
Hackinglab – Bash Bunny – Guide