Cybersecurity has become a major concern for the digitalised world. Over the years, Europe has become a prime target for cybercriminals seeking financial and influential gains. The UK is the most affected in Europe, as it stands in the top 5 countries in the world in terms of the most cybercrime threat level. In early 2025, Distributed Denial-of-Service (DDoS) attacks surged by 137% year over year across Europe, with the largest attack peaking at 1.4 terabits per second.
Let us review some of the largest data breaches in Europe over the last decade. Explores these events and discusses how they may serve as examples for students of cybersecurity. The breaches are analysed in terms of their size, effects, causes, and the lessons learnt, particularly those that can enhance cybersecurity practices. The selected cases will enable students to identify vulnerabilities, understand attack vectors, and evaluate mitigation strategies, all while honing their technical and analytical skills.
The following are some of the notable data breaches in Europe, based on the number of records compromised, lost revenue, or regulatory risk. They expose the dynamic landscape of cyber threats and the importance of substantive cybersecurity practices.
In the summer of 2018, British Airways, a major UK-based airline, suffered a data breach that compromised the credit card details and personal data of its customers. Approximately 380,000–500,000 customers were impacted. The breached data included names, addresses, email addresses, credit card numbers, and even card security codes.
The ICO (Information Commissioner's Office), the body that upholds data privacy laws in the UK, confirmed the attack.
Hackers using a technique known as Magecart infected the British Airways website with malicious JavaScript code that syphoned the payment data of customers to unknown attackers. The breach went undetected for months due to a lack of monitoring and logging mechanisms.
The ICO fined British Airways £183.39 million under GDPR, but the penalty was later reduced to £20 million.
In July 2017, Dixons Carphone suffered a data breach of 6.5 million payment cards and of approximately 10 million personal records. It went undetected for 9 months, leaving customers vulnerable to identity theft and fraud.
Hackers installed malicious software on point-of-sale (POS) terminals across Currys PC World and Carphone Warehouse stores in the UK to extract details. The ICO report described it as "failures related to basic, commonplace security measures".
Dixons Carphone was fined £500000 for this massive data breach. The incident further caused the closure of Carphone Warehouse stores and the rebranding to Currys.
In 2016, approximately 15.2 million UK Equifax customer records and 145 million global records of the company were compromised.
Hackers entered through a vulnerability in Apache Struts, a software framework used by Equifax. They got the remote code execution (RCE) access to sensitive data, including names, addresses, email addresses, phone numbers, and security questions. Equifax failed to patch the vulnerability despite its public disclosure and available fixes. This highlights poor patch management practices at the company that led to this disaster. Affected individuals faced the risk of identity theft and fraud.
The ICO fined Equifax £500,000 for failing in cybersecurity measures. To avoid further losing customers' trust, Equifax had to implement a mandatory password reset and offer free identity protection services. The company later overhauled its patch management system and vulnerability scanning processes.
In May 2020, $10 million was stolen in a business email compromise (BEC) scam of Norfound.
The attackers studied Norfund’s communication patterns for several months, enabling a sophisticated social engineering attack. After successfully hacking a Norfund e-mail account, hackers were able to give themself an £8.2 million loan. The scam relied on social engineering rather than technical exploits. This was called "an advanced data breach".
After this, the organisation implemented a multi-factor authentication (MFA) process and enhanced email filtering. The staff was also given an awareness training to prevent future BEC attacks.
The incident highlighted the risks of BEC scams and the need for email security protocols.
In the spring of 2015, a Russian hacker employed a spear-phishing technique to gain access to the Bundestag’s internal network. This state-sponsored cyber attack affected over 5,000 computers and resulted in the breach of at least 16 GB of data, including emails belonging to Chancellor Angela Merkel.
This attack lasted for several days, compromising sensitive government data. German authorities identified the perpetrator in 2020, highlighting the growing threat and need for robust endpoint security and phishing awareness.
In May 2021, the Health Service Executive (HSE) suffered a major ransomware attack from the Russian-based “Wizard Spider” hacker group, which demanded €16.5 million to decrypt the data. The stolen data included personal data, medical records, and HSE corporate and administrative data. It is the largest known security incident against an Irish state agency system to date.
According to the National Cyber Security Centre, the perpetrators used the penetration testing tool Cobalt Strike to infect the HSE’s systems and a fast and sophisticated ransomware type known as Conti to encrypt data and medical records. It caused a complete shutdown of the HSE local and national network, forcing them to use paper-based records.
It was found that the HSE’s IT infrastructure was dangerously outdated, with 80,000 devices connected to the HSE’s central servers, which were still operating on Windows XP. Additionally, the system was extremely fragmented, operating on multiple systems. HSE estimated that the cost of the cyber attack would exceed €600 million.
From 2014 to 2018, hackers accessed Marriott’s Starwood reservation system, which compromised 500 million guest records. This was all due to their outdated IT systems, which were so vulnerable that it took 4 years to detect the breach. The breach exposed credit card details, passport numbers, and personal information of customers.
After this incident, Marriott faced a $23.8 million GDPR fine for failing to secure its systems and conduct due diligence during the Starwood acquisition.
In September 2024, the RansomHub ransomware gang attacked Kawasaki Motors Europe (KME), which resulted in the exfiltration of 487 GB of data. As the ransom demands were not satisfied, RansomHub eventually released the stolen data in public. The incident raised worries about potential consumer data exposure given the large volume of exfiltrated material. This incident is classified as "Significant to High" on the severity scale due to the successful attack by a sophisticated actor and the potential long-term consequences for cybersecurity.
KME's preemptive efforts, such as temporary server isolation and consultation with external cybersecurity specialists, enabled the restoration of more than 90% of server functioning without disrupting vital business processes.
Studying real-world data breaches like these will help cybersecurity students to gain a more practical understanding of the knowledge and skills that they will need to combat constantly evolving cyber threats. Listed below are the main ways that these case studies further education and enhance skills development:
Case studies provide students the opportunity to encounter attack vectors that they may not see until they hit the ground, for example, XSS (British Airways), RCE (Equifax), and BEC (Norfund). By witnessing and examining these attack vectors in each case study, students learn how attackers exploit technical flaws, misconfigurations, or human mistakes.
Skills Development: Students will be able to detect vulnerabilities in simulated settings using tools such as Burp Suite, Metasploit, and Wireshark, as well as engage in simulated attacks.
Each case study demonstrates the need for rapid detection, containment, and mitigation. For example, the British Airways and Marriott International breaches. These breaches went undetected for a prolonged period, whereas Norfund brought awareness to the breach and limited the damage it could inflict by quickly reporting it publicly. Late public acknowledgement can put citizens at high risk of theft and scams for a longer period.
Skills Development: Students will have the skill to create incident response playbooks, establish log review, and help to simulate response activities using a tool like Splunk or SIEM-based systems to contain a breach.
In the cases of British Airways and Equifax, students can observe the implications (GDPR) of not being compliant with local laws and establish rules regarding data handling practices. Establishing compliance as a pillar of best practices is demonstrated and reinforced. It is one thing to have security practices; however, it is another to align oneself with the required regulations such as GDPR, ISO 27001, and NIST.
Skills Development: Students will have the skill to write compliance checklists, conduct mock audits (which could include information governance, data handling, employee awareness, making reports, etc.), and research data protection impact assessments (DPIA).
The Equifax incident demonstrates the significance of implementing proactive risk management, which includes patch management and verifying third-party vendors. Students will learn how to identify and prioritise hazards based on their likelihood and severity.
Skill development: students will be able to use risk assessment models such as NIST 800-30 or FAIR to assess an organisation's vulnerabilities and establish mitigation plans
Case studies like Norfund focus on human factors (such as phishing awareness and communication). Students learn how to construct training programmes and how to explain technical concepts to non-technical stakeholders.
Skill development: The students will develop and use phishing simulation campaigns and practice presenting their cybersecurity recommendations to pretend boards.
As case studies include breaches, students must think critically about what went wrong, what humans did to accidentally compromise systems, and how it could have been better. For example, by reviewing Equifax and why their machines were not patched for Apache Struts, students can determine how crucial those upgrades should have been.
Skill development: Students may participate in (CTF) competition exercises or red/blue team simulations.
The breach at Kawasaki Motors Europe in 2024 demonstrates how significant infrastructure is increasingly being targeted, as well as the prevalence of ransomware. Ransomware attacks on manufacturing facilities increased to 29% of publicly extorted victims globally in Q2 2024, representing a 56% increase year on year. Students must be trained to deal with these ever-changing threats, which include new malware and diverse supply chain hazards.
Students may learn about ransomware mitigation techniques, such as endpoint detection and response (EDR), before assessing supply chain weaknesses.
In July 2018, the Bulgarian NRA (National Revenue Agency) suffered a massive personal data breach of 5 million citizen records and 21 GB of other sensitive data. To date, it is the biggest breach in Bulgaria. The compromised data included salary and revenue records, tax payments, national identification numbers, Social Security information, and health and pension payments. On top of all that, it also leaked user information from online gambling websites. The stolen sensitive data was leaked on various media platforms in Bulgaria.
It was assumed that hackers used a SQL injection attack to get into systems. The investigation report of the attack highlighted that Bulgarian officials did not take the incident seriously and failed to take sufficient action to contain the attack. Further, the Global Forum on Transparency and Exchange of Information for Tax Purposes (which included countries like Switzerland, Germany, Singapore, and more) stopped exchanging information with Bulgaria.
The Bulgarian DPA (Data Protection Authority), Bulgaria's primary data protection authority, issued the NRA a fine of €2.6 million for failing to take the necessary steps and measures to protect personal data. NRA failed to conduct a proper risk assessment of its data processing operations.
In March 2020, Virgin Media, a broadband provider, suffered a data breach of the personal information of 900,000 customers. The information remained open for exploitation for 10 months. It included details regarding customer names, house addresses, email addresses, phone numbers, and subscription details.
The data leak occurred due to a database misconfiguration by an employee who failed to follow proper procedures and protocols. Virgin Media quickly discovered the breach and shut down all related databases containing the leaked information.
After this, Virgin Media reportedly faced a lawsuit of nearly £4.5 billion, around £5,000 for each of the 900,000 affected customers.
In October 2015, the TalkTalk cyberattack resulted in the exposure of over 157,000 records. The breach included financial data from over 15,000 bank accounts. The hackers gained access to customers' names, dates of birth, addresses, bank details, and credit card information. Luckily, the card numbers were obscured, making them unusable.
Hackers used the SQL injection vulnerabilities during the acquisition of Tiscali’s UK operations by TalkTalk to infiltrate the system.
The ICO investigated TalkTalk’s compliance with the Data Protection Act and issued a massive fine of £400,000 ($510,000). It concluded that the firm had failed to implement basic security measures that could have prevented the data breach and properly protected customers’ data. Additionally, the cyber attack had cost the company more than 100,000 customers and £60 million ($76 million) in mitigating the data breach.
In April 2017, Wonga, the UK's largest payday loan company at the time, suffered a data breach, which later contributed to the company's demise. The infringement exposed up to 270,000 of its customer records, including names, bank account numbers, sort codes, and the last four digits of bank cards. It is one of the UK’s biggest data breaches involving financial information.
Wonga officials said the data breach affected about 245,000 UK customers and 25,000 Polish customers. Wonga’s security team later confirmed that users’ loan accounts were secure, and so no action needed to be taken. But if the users suspect any unusual activity in the recent past, they can contact the customer desk of the technology-driven financial firm. In addition to a series of poor business practices, Wonga ultimately fell into bankruptcy, indicating the shutdown of the company.
In February 2021, Libération investigation reported the breach of approximately 500,000 medical records of French patients. According to AFP (Agence France-Presse), the disclosed data on the internet contained patients' names, medical histories, and social security numbers. Libération further revealed that the stolen material included medical information and COVID-19 tests from 30 healthcare laboratories in northwest France. The data includes information on blood types, HIV status, reproductive status, and health insurance providers.
Initially, authorities failed to learn how the hackers stole the data, but one thing in common was that the laboratories used software from Dedalus, a healthcare provider. Dedalus was fined €1.5 million for breaking the GDPR (General Data Protection Regulation) by failing to protect EU individuals' personal information. After failing to find a buyer, the hackers decided to make the data public.
In response to the incident, French President Emmanuel Macron announced a cybercrime combat programme worth €1 billion to enhance the cybersecurity of the French healthcare system.
In September 2020, Cosmote Mobile Telecommunications, Greece’s largest mobile operator, suffered a social engineering attack. The hack compromised 4.8 million consumers' personal information and 48 GB of data. Additionally, subscriber information and directory data from nearly 7 million customers of other providers who had corresponded with COSMOTE subscribers were made public.
Following an inquiry, the authorities discovered that the corporation was illegally handling client data in accordance with GDPR. The data was not encrypted, and COSMOTE failed to notify affected subscribers of the incident.
Finally, the HDPA (Hellenic Data Protection Authority) fined COSMOTE Mobile Telecommunications €6 million for multiple violations. The parent company, the OTE Group, was also fined €3.25 million for incomplete security measures and failing to implement the required cybersecurity infrastructure.
In February 2022, satellite communications company Viasat, responsible for providing satellite internet and satellite television to European and some Middle Eastern nations, became a target of a sophisticated cyberattack. The attack came into effect just one day before the beginning of the Russia-Ukraine war. This attack jeopardised the Viasat KA-SAT, rendered 40,000 to 45,000 modems unworkable, caused a lack of communication in Ukraine during the invasion, caused 5,800 Enercon wind turbines in Germany to malfunction, and disrupted thousands of companies across Europe. However, there is no evidence to suggest that any end-user data was accessed or compromised. In the next round of attacks, hackers flooded Viasat's servers with requests that quickly overwhelmed their networks.
The hackers relied on a piece of new malware named “AcidRain” that wiped the contents of thousands of targeted modems. AcidRain is a wiper designed for modems and routers. It can overwrite key data in a modem’s flash memory, making it inoperable and in need of reflashing or replacing.
This attack became a clarion call for improving space systems cybersecurity.
Students can enhance their educational experience by engaging in the following activities related to these case studies.
Labs and Simulations: Students can set up a simulated environment to duplicate XSS, RCE, or BEC attacks. They can use tools like OWASP WebGoat or TryHackMe to exercise exploitation and mitigation.
Research Projects: Learners must explore recent breaches and make connections to historical breaches to understand similarities between them and the emerging trends in attack vectors. Also, discover various defensive measures taken by states and agencies to prevent and mitigate attacks.
Policies: Students can develop enhanced cybersecurity policies for patch management, email protection, or GDPR compliance based on lessons learnt from the case studies.
Team Activities: Host tabletop scenarios based on breaches with specific roles such as incident responder, compliance officer, or executive.
Certifications: Students can identify and pursue certifications, including CompTIA Security+, CEH, or CISSP, that conceptualise ideas present in these breaches (examples: vulnerability management, incident response).
The major data breaches in Europe over the last decade, such as British Airways, Equifax, HSE, and Norfund, provide lessons for students in cybersecurity. They demonstrate the effects of technical vulnerabilities, human errors, and a lack of compliance on the security system. These cases also provide experience in taking lessons from an incident to prevent, detect and respond in similar situations.
Students in their case studies develop their technical skills (learning about vulnerability scanning and email security), analytical skills (learning about risk assessment and log analysis) and soft skills (learning about communication and training design). Learners will be able to assist businesses and organisations in defending themselves against cyberattacks, identifying and responding to real threats. They can further contribute to the design of a secure system and uphold data protection policies in the enterprises.