The Slovenian authorities are looking into a major breach of sensitive data on 112 emergency line calls for medical assistance after these appeared on the dark web before they were taken down on 15 January.

The Defence Ministry has confirmed the data appeared on the dark web but said they had not been stolen from its servers or devices or those of the Administration for Civil Protection and Disaster Relief.

"All indications are that the breach took place on other servers or devices ... the content with detailed health data published on the dark web did not originate from the Defence Ministry or the Administration," the ministry said.

The 112 line and the information systems of the Administration and the ministry have been working smoothly and safely, according to the ministry.

Media have reported the data were offered for sale through a dark web forum featuring a sample of the content of emergency calls and other highly sensitive data, including people's names, locations and symptoms.

Claim of 15 mio lines of data stolen

The hacker or hackers claimed to have more than 15 million entries from the system, announcing they were willing to to sell real-time access to the data, and access to regional information centres.

It was suggested the data could stem from the Emergency Medical Dispatch Service operated by UKC Ljubljana medical centre, whose corporate security department has taken over the matter and notified the other relevant authorities, including the police.

The Government Information Security Office has confirmed it is looking into the incident to establish the cause of the breach. The office said it had no information on the amount of data stolen.

Quite recent data breached

It said the information available for now did not confirm the initial reports that the data was breached through the information system of a voluntary fire brigade in Vrhnika near Ljubljana.

The office's information also indicated that the information that the hackers had direct access to the databases of the regional notification centres was inaccurate.

The Information Security Office said the data seen was more recent and seemed to have been obtained only recently.

Apart from notifying the police and Information Commissioner, the office said the national cyber security response centre SI-CERT will examine what exactly happened. Further measures will follow after the analysis.

Potential insider suspected

According to unofficial information, it is possible that the data was stolen internally. The Information Security Office suspects that, since no hacking has been detected and no reports have been made, it could be the work of a disgruntled individual who officially has access to the data.

"The very database that was offered, that was being sold, has been withdrawn," the office's head Uroš Svete noted for TV Slovenija late on 15 January. While it is up to the law enforcement authorities to deal with the incident, he said fact was that insiders were the biggest threat to cybersecurity both in theory and in practice.

The incident comes after a cyber attack on HSE, Slovenia's largest power utility, in November last year and several other such incidents in recent years.

SI-CERT, the Slovenian Computer Emergency Response Team, saw the number of cyber incidents rise by 4% in 2023 to 4,280 after the figure surged to 4,123 in 2022 from in 2,775 in 2021.