Several Dutch market research companies using industrial software called Nebu have been hacked, and the attack appears to have exposed information about about two million Dutch residents. It appears that the data breach consists mainly of contact information, but also includes income data, and at least in a small number of cases, more sensitive personal information may also be included.
The types of information leaked in the data leak are varied. In some cases, the attackers only received basic contact information included in the survey. In another case they took sensitive information from a pension fund. The victims so far are all market research companies using Nebu software, which may have had some vulnerability. It is still difficult to define what exactly happened.
The first victim to report a data breach was Blauw, a research firm that has several major clients including the Dutch national railway company and media/entertainment company VodafoneZiggo.
Blauw says that the information of about 780,000 train customers who filled out a marketing survey was exposed, and that this may contain contact information such as email addresses and phone numbers. A similar survey done for VodafoneZiggo also revealed about 700,000 additional records, along with about 100,000 members of the Dutch Golf Association.
The market research company also claims that about 27,000 records of the Dutch Enterprise Agency were exposed, and that these may have contained information about subsidies and financial support that entrepreneurs are applying for. Blauw data related to the pension fund PME was also exposed, although the company claims that identification numbers and bank details were not included in the data leak.
Another market research firm, USP, reported that it had also seen a large amount of similar survey data stolen. In total, it lost 100,000 to 150,000 records of Dutch residents and another 350,000 records of people living outside the country. USP says similar contact details (such as email addresses and phone numbers) were included in those records. In addition, 27,000 records linked to the RVO, part of the country’s Ministry of Economy and Climate, were stolen.
USP says it will continue its relationship with Nebu and that it sees the incident as an anomaly after a previously trouble-free 20-year business partnership. On the other hand, Blauw expressed bewilderment at Nebu’s refusal to provide details and filed a lawsuit against the software provider in an attempt to get more information.
Nebu, based in Wormerveer, near Amsterdam, was acquired in the summer of 2021 by Canadian enterprise software solutions specialist Enghouse Systems. According to a statement on the Blauw website, the unauthorized access to Nebu’s network occurred on March 24 and on March 27 it was confirmed that “data was indeed stolen.”