Cyber Incident Victim: VisitFaroeIslands.com
Date:
Mar 2023
Location:
Faroe Islands
Summary
The Visit Faroe Islands tourism website, supported by government funding but privately operated, was defaced by the SeigedSec hacking group, which accessed newsletter subscriber names, email addresses, and the site’s source code. While the group claimed broader system compromises, local IT security officials confirmed only the tourist website's modules and content management system were breached, explicitly refuting allegations of government network infiltration. The incident prompted involvement of data protection authorities for potential privacy implications, aligning with previous SeigedSec incidents where the group exaggerated the significance of publicly accessible data breaches, such as in U.S. state government cases. Another group, GhostSec, amplified false claims mirroring its own past misinformation efforts involving another U.S. state agency.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 4, 2023, the SeigedSec hacking group defaced the VisitFaroeIslands.com tourist website, which serves the Faroe Islands, a self-governing Danish territory with a population of approximately 54,000. The attackers claimed unauthorized access to employee data, sensitive information, and the website’s source code, subsequently posting screenshots of the compromised backend infrastructure on Telegram via collaboration with the GhostSec hacking collective. An IT security specialist from Gjaldstovan—an entity under the Faroe Islands’ Ministry of Finance overseeing public IT—confirmed the breach of the tourism site, clarifying it was operated by a privately managed company receiving government funding rather than a direct government platform. The compromised elements included website modules, programming tools, and a database containing names and email addresses of newsletter subscribers. Authorities advised the affected company to notify relevant EU Data Protection Authorities and Faroese privacy regulators, while multiple agencies initiated investigations into the incident. The company managing the website did not publicly comment on the breach despite media inquiries.
The Faroese government explicitly refuted SeigedSec’s assertion of infiltrating governmental systems, labeling those claims as unfounded. Historical context revealed SeigedSec’s pattern of exaggerating attacks, including prior incidents where they allegedly hacked Kentucky and Arkansas state systems but merely downloaded publicly accessible records. GhostSec, which amplified SeigedSec’s Faroe Islands claims, had similarly misrepresented a February 2023 breach involving Maine’s environmental department by portraying publicly available data as exfiltrated confidential material. While the tourist website defacement and data exposure required incident response coordination, governmental operations remained unaffected. The confirmed impact was limited to the tourism site’s digital assets and subscriber information, with no evidence of broader compromise to critical infrastructure or sensitive administrative networks beyond the hackers’ unsubstantiated statements.