Zabawas Foundation has sued the ICT company PS Logic. The foundation believes the company fell short when it was hit by a ransomware attack in 2018. For example, recent backups were not available after the hostage software attack. This brought the foundation's business operations to an unnecessary halt. According to legal documents from the court in Rotterdam.
Zabawas is a family foundation designated by the Tax Office as a General Beneficial Institution (ANBI). The foundation distributes donations to individuals or institutions that develop initiatives in the fields of culture, nature, medicine, sports and education. The foundation requires that the donated money benefits Dutch society and the public interest.
In July 2013, the foundation entered into an "all-inclusive ICT management" agreement with PS Logic, an ICT company based in Berkel en Rodenrijs. The contract stated that the South Holland ICT company was going to "proactively manage, maintain and monitor the ICT infrastructure, 24/7 monitoring of service, backups and network, possible reinstallation of workstations, networks, servers and printers." This involved four computers, a server and a printer. For these services, the foundation paid a monthly fee of 130 euros (excluding VAT).
On April 12, 2018, one of Zabawas' systems became infected with ransomware. Ransomware is hostage software that blocks employee access to computer systems. It also places company documents and other data under lock and key. The only way to regain access to the systems and files is to pay a ransom. The victim is then given a so-called decryptor or decryption key by the perpetrators. The ransom amount can reach millions of euros, depending on the business activity and size of the company.
The infection, they said, rendered the system unusable and brought business operations to a complete halt. During the recovery work, only an old backup turned out to be available. This dated from July 2017. As a result, Zabawas lost a lot of data, as well as software that the foundation had had developed by a software company.
After the ransomware attack, Zabawas decided to have its ICT environment investigated by Baaten Security. The investigation report left no doubt: information security was not up to par. "Several vulnerabilities (deviations from the norm) stem from rookie mistakes, carelessness, and unwise setup choices that a 'normal and reasonable acting' ICT supplier (large or small) should not make despite missing security agreements," the research firm wrote.
Baaten Security therefore does not find it surprising that one of Zabawas' systems was able to become infected with ransomware. "Given the current state of the ICT environment, such a serious disruption was only a matter of time; the level of digital resilience is too low to speak of an appropriate and market-compliant information security level." The hostage software was presumably able to embed itself in the computer system via the TeamViewer program. However, due to "limited logging information," this cannot be determined with certainty.
On April 10, a week after the ransomware attack, Zabawas held PS Logic liable for damages suffered and to be suffered due to the infection. In July 2019, the foundation terminated its cooperation with the ICT company. Through the court, the foundation declared that the company had defaulted and failed to fulfill its obligations. All in all, the foundation claims damages of over twenty thousand euros. PS Logic is asking the court to order the foundation to pay an amount of nearly four thousand euros, not including court costs.
The Rotterdam District Court says it cannot currently answer the question of whether PS Logic was negligent in the backup matter. The court is therefore proposing to appoint an independent expert. He should assess the circumstances at the time of the ransomware attack and answer the question of whether the agreements made about providing backups were sufficient.
Furthermore, he must make a judgment on whether or not the ICT company had properly handled the security of the foundation's ICT system. Finally, he must determine the cause of the ransomware infection. It is not inconceivable that the hostage software was able to nestle in the system through human error, such as by opening a rogue attachment in an e-mail.
