The Autoriteit Persoonsgegevens has so far received 139 reports from companies and organizations about the data breach at Nebu B.V. The leaks may have resulted in the private data of millions of Dutch citizens ending up in the hands of hackers. The regulator does not rule out that more agencies will report in the coming period.
This emerges from an inventory, a spokesperson for the Autoriteit Persoonsgegevens told NU.nl ( 1)
It has been almost a month since software provider Nebu B.V. of Wormerveer was the victim of a data breach. On March 10, hackers managed to penetrate the company's systems and browsed three quarters of an estimated two million Dutch people's personal data. Information such as names, home addresses, e-mail addresses, phone numbers, dates of birth and gender were stolen by the perpetrators in the process.
In some cases, they may also have stolen financial data such as income and pension information. Whether the attackers also accessed or captured other information, such as answers to questions from digital questionnaires, is currently under investigation. After 31 hours, Nebu employees discovered that data had been stolen.
In late March, two weeks after the data leak came to light, Nebu informed the first customers about the incident. In the days that followed, NS told customers that the leak had stolen the personal data of some 780,000 train passengers. Soon enough after that, VodafoneZiggo, Heineken and health insurer CZ told us that private data of their customers may also have been captured.
Other aggrieved parties who have come forward recently include the International Film Festival Rotterdam (IFFR), the Royal Dutch Golf Federation (NGF), ArboNed, ProRail, the Rotterdam pupil transport company Trevvel, the Nationale Postcode Loterij, the Rijksdienst voor Ondernemend Nederland (RVO), housing corporations Stadgenoot, Vivare and Haag Wonen, and pension funds PME and PFZW.
This week, the Hogeschool van Amsterdam (HvA) warned 167 students and employees about the data breach. The educational institution said "suspicious activity" had been observed on the servers where the data of those affected was stored. The college reported the incident to the Autoriteit Persoonsgegevens.
From our enumeration, it is clear that the data breach at Nebu caused many victims. And that's just the tip of the iceberg. The Autoriteit Persoonsgegevens has inventoried the number of victims. What turns out? The regulator has now received 139 reports from companies and organizations affected by the problems at the software developer.
"This data breach shows on what scale a leak can have consequences. It is therefore important that companies quickly inform people concerned about the leak, if they have not already done so," a spokesman for the regulator told NU.nl.
The privacy watchdog has asked the affected parties for clarification about their contracts with the research firms and software vendors. Furthermore, the Autoriteit Persoonsgegevens wants to know what agreements they have made regarding the security of private data.
On Tuesday, market research firm Blauw and USP Marketing Consultancy filed summary proceedings against Nebu. They feel that the software developer did not inform them sufficiently about the events. For example, it is still unclear what data was obtained by the hackers. "Nebu deliberately cloaks itself in vagueness and fails to fulfill contractual agreements and legal obligations. There is no question of a thorough investigation. We no longer have confidence in it," the lawyer said at the hearing.
Nebu's attorney acknowledged that communication left much to be desired. "The cyber incident is currently Nebu's top priority. But when things are not yet clear to Nebu, Nebu cannot be expected to provide information. The outcry created with them is understandable, but the statements they are making in the media are incorrect."
Today the judge is ruling.
https://www.nu.nl/tech/6258327/al-139-organisaties-melden-dat-ze-getroffen-zijn-door-datalek.html
