Cyber Incident Victim: École de commerce du sport (CNPC)
Date:
May 2024
Location:
France
Summary
A Pau airport and a business school experienced a ransomware attack disrupting digital operations while maintaining core activities. The incident degraded systems, forcing the school to conduct classes without certain digital tools, though airport flights remained unaffected. Data theft occurred, prompting notifications to France's data protection authority, with investigations ongoing involving cybersecurity contractors. The attackers' identity remains unknown, and the targeted institution ironically hosts a regional cybersecurity collaboration hub. Legal complaints are being prepared as authorities analyze the scope of compromised personal information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 13, 2024, the École de commerce du sport (CNPC) / éklore-ed Sport Business and Pau Airport, both managed by the CCI Pau Béarn, experienced a cyberattack disrupting their digital operations. Initial reports indicated the attackers deployed malicious software consistent with ransomware tactics, which typically encrypt systems or data to extort payment for restoration. The CCI Pau Béarn confirmed immediate response measures, including activating a cybersecurity contractor to conduct forensic investigations and initiating legal procedures with plans to file a formal complaint. Operational continuity was maintained across both entities through degraded operational modes: Pau Airport sustained flight schedules without disruption, while the business school continued classes despite losing access to a subset of digital teaching tools. This incident mirrored prior regional cyberattacks targeting the Sdis 64 fire department in October 2023 and Oloron-Sainte-Marie Hospital in early 2021, suggesting a recurring threat pattern against critical infrastructure in the Nouvelle-Aquitaine area.
The attack involved confirmed data exfiltration, prompting mandatory breach notifications to France’s data protection authority, the CNIL, which acknowledged receiving multiple reports of compromised personal data. The CNIL emphasized ongoing victim-led analyses prevented definitive public attribution or detailed technical assessments of the attack vector at the initial disclosure stage. Notably, the breach occurred at an institution hosting the Nouvelle-Aquitaine Regional Campus of Cybersecurity and Digital Trust, highlighting a symbolic or strategic targeting irony. No ransom demands or threat actor identities were disclosed publicly during the immediate aftermath. Business and aviation operations proceeded with manual or alternative workflows pending full system restoration, reflecting prioritized continuity over immediate technical resolution amid the active investigation phase.