Cyber Incident Victim: Ville de Bruxelles
Date:
May 2024
Location:
Belgium
Summary
A supplier to the Ville de Bruxelles was targeted in a cyberattack resulting in the theft of personal identification data, which may be illegally disclosed or exploited for phishing campaigns. The municipality launched an investigation with the affected provider to determine the breach's scope and circumstances while implementing corrective and preventive technical and organizational measures. Relevant national authorities, including Belgium's Cybersecurity Centre and Data Protection Authority, were notified of the incident. The compromised data poses risks of misuse in targeted spear-phishing attempts due to its sensitive nature.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2024, the City of Brussels announced that a cyberattack had targeted one of its suppliers, resulting in the theft of personal identification data. The breach, disclosed on May 16 via the city’s official website, involved unauthorized access to systems containing sensitive personal information described as "data having to do with identification." Municipal authorities initiated a joint investigation with the affected supplier to determine the attack’s origin, scope, and specific data types compromised. Technical and organizational corrective measures were implemented immediately following detection, though the exact intrusion vector remained unspecified. The city notified Belgium’s Centre for Cybersecurity (CCB) and the Data Protection Authority (APD) in compliance with regulatory obligations. Officials warned that exfiltrated data could be illegally disclosed or exploited for malicious purposes, including phishing or spear-phishing campaigns leveraging familiarity with municipal services. Brussels’ population of 188,000 residents faced potential risks of identity-based fraud due to the exposure. The city established a dedicated privacy desk ([email protected]) for citizen inquiries but did not disclose the supplier’s identity, data volumes affected, or whether ransomware was involved.
This incident followed multiple prior cyber disruptions affecting Belgian government entities. In February 2024, Brussels’ municipal websites alongside federal platforms including the Prime Minister’s site and the Chamber of Representatives experienced temporary outages from DDoS attacks, as reported by RTBF. Russian-linked threat actor NoName057(16) claimed responsibility for similar DDoS incidents in October 2023 targeting the Royal Palace, Prime Minister’s office, and Senate websites. Historical context also includes a 2021 cyberattack paralyzing administrative services in Liège, Belgium’s third-largest city, for several weeks. The May 2024 supplier breach differed from these availability-focused attacks by prioritizing data exfiltration over service disruption, though all incidents underscored persistent threats to Belgian public sector infrastructure. No attribution or financial motives were confirmed for the supplier attack, and the city’s communications emphasized containment steps without detailing forensic findings or long-term mitigation strategies.