Cyber Incident Victim: Région de Bruxelles-Capitale

On September 13, 2024, the City of Brussels publicly disclosed a cybersecurity incident involving a third-party supplier that resulted in unauthorized access to personal data. The breach occurred when an unspecified threat actor compromised systems belonging to one of the municipality's service providers. While the city's own infrastructure remained unaffected, the attacker exfiltrated sensitive information related to early childhood care services administered through the supplier. The compromised data included personal details of individuals associated with these municipal childcare programs, though the exact number of affected records and specific data elements were not quantified in the initial disclosure. Municipal authorities confirmed the breach stemmed from the supplier's systems but did not identify the intrusion vector or provide technical details about the attack methodology.

The City of Brussels initiated its response by notifying relevant data protection authorities in accordance with regulatory requirements following the supplier's breach notification. Public communication emphasized the municipality's indirect involvement as the data controller while maintaining operational continuity in childcare services throughout the investigation. No evidence suggested misuse of the stolen data at the time of disclosure, though the city acknowledged potential risks to data subjects whose information was exposed. The incident highlighted supply chain vulnerabilities in municipal operations, particularly concerning sensitive personal data processed by external partners. Forensic analysis remained ongoing to determine the full scope of compromised records and establish whether additional security measures were required for future third-party engagements.