Cyber Incident Victim: EDC
Date:
Nov 2023
Location:
Denmark
Summary
EDC experienced a cyberattack by the pro-Russian Black Basta group, leading to server shutdowns and temporary system disruptions. The attackers copied personal data including addresses and, for some clients, CPR numbers, though financial accounts, passwords, and national digital IDs remained secure. The breach involved information stored under regulatory obligations, with affected individuals notified and authorities engaged while security enhancements were implemented post-incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 31, 2023, the Danish real estate company EDC experienced a cyberattack that disrupted its operations. The intrusion was detected on November 1 when the company's servers unexpectedly failed, prompting immediate containment measures. EDC proactively shut down its entire IT infrastructure to prevent lateral movement of the attack across networked devices. Full control over systems wasn't reestablished until seven days post-incident, with forensic clarity about stolen data emerging on the eighth day and specific compromised datasets identified by the ninth day. The company attributed this extended timeline to technical complexities inherent in containing sophisticated attacks. EDC publicly confirmed the international pro-Russian hacker group Black Basta as the perpetrators, marking this as the first successful breach of the company's defenses despite previous attempts against other major Danish organizations.
The attack resulted in unauthorized copying of personal data from EDC's systems, constituting a breach of data protection regulations. While most affected customers only had basic address information exposed—typically available through public directories—individuals who had bought or sold property through EDC faced potential compromise of their CPR (Danish national identification) numbers. The company emphasized that no banking credentials, MitID/NemID authentication systems, account passwords, or social media access were compromised. EDC immediately notified current and former customers via direct communication where contact details were available, detailing the specific data types exposed in each case. Concurrently, the organization filed mandatory breach notifications with Datatilsynet (the Danish Data Protection Agency) and initiated a criminal investigation with law enforcement. Technical recovery efforts operated continuously since detection, culminating in full system restoration alongside implementation of enhanced security measures. EDC maintained that critical case information storage systems remained inaccessible to attackers throughout the incident, citing data retention obligations under EU anti-money laundering regulations (5 years for identity documents, 10 years for transactional records) as preventing earlier deletion of exposed materials.