“Large-Scale Cyber Attack Exposes Personal Data of Millions of Dutch People”

The attack was only discovered by Nebu 31 hours later and was not immediately shared with the injured parties, says market researcher Blauw, one of the affected parties, in court in Rotterdam on Tuesday. There is an interim injunction that the company has brought against Nebu, the company that supplies the software for customer-friendliness surveys. Blauw conducts these studies on behalf of numerous large companies, such as NS and VodafoneZiggo. Data of possibly hundreds of thousands of Dutch people has been leaked from those companies alone.

Hackers, whose identity is still unknown, would have spent a total of 45 minutes stealing the personal data. This not only concerns names, ages, genders and e-mail addresses, but in some cases may also include information about people’s income and pension data. Such data is a goldmine for cybercriminals. Exactly how much data was stolen is still unclear.

The leakage of personal data of customers is ‘a nightmare’ for any party that stores and stores it, says Blauw’s lawyer in her argument. In summary proceedings, she demands that Nebu hand over all available information and have an external party conduct a forensic investigation into the cyber attack. “Blauw’s reputation stands or falls with the careful handling of customer data. Failure to do so could have serious consequences for our customers.”

Blauw assumed that Nebu ‘had a high priority on reliability’. “But nothing could be further from the truth. Nebu deliberately shrouds itself in vagueness and does not comply with contractual agreements and legal obligations. There is no question of a thorough investigation. We no longer have confidence in it.” Nebu is also still unreachable for the media. There is still no mention of the attack on the website. According to Blauw, a report on the cyber attack – which was shared on request during the session – contains ‘little news’.

During the hearing, Nebu’s lawyer acknowledged that communication should have been better. Things are going much better now, he says. “The cyber incident is currently Nebu’s top priority. But if things are not yet clear to Nebu, Nebu cannot be expected to provide information. The fuss that has arisen is understandable, but the statements they make in the media are incorrect.”

Nebu, part of a global concern, considers the interim injunction unnecessary and possibly even harmful to the company. They preferred to hold the session behind closed doors. “We want to prevent information about security measures from becoming public so that malicious parties can use it,” explained the software company’s lawyer. The judge rejected that request. Nebu itself is not present, a representative of the Canadian parent company follows the summary proceedings via a live connection.

About 25 organizations have so far reported that they may be victims of the data breach. These include the NS, rail manager ProRail, insurer CZ, provider VodafoneZiggo, the Dutch Golf Federation, Friends of Amstel Live, the National Postcode Lottery, the Netherlands Enterprise Agency and several municipalities and housing associations. Pension fund PME may also have been affected. There, income data of people who accrue pension may have been leaked.

At Pensioenfonds Zorg & Welzijn (PFZW), personal data of approximately 95,000 participants may also have come out due to a major data leak at a company that supplies software to market researchers. Potential victims will be notified on Tuesday. Experts take into account that at least several million Dutch people have become unintentionally involved in the leak.

Blauw did not like a session without media. “Many parties are involved in this case and they also want to be able to follow it. Think of clients and authorities. Our point of view is that the session should be public, so that they can follow it”, says board chairman Jos Vink.

Watch our news videos in the playlist below: