One data breach and millions of victims: what can we learn?

20/04/2023 - Recently, a major data breach in the Netherlands has come to light. The list of affected companies and stakeholders seems to be getting longer by the day. The Dutch Data Protection Authority (AP) has already received notifications from 139 companies that they have been affected by the data breach. The data breach is the result of a cyber-attack on software supplier Nebu. As a result, the personal information of millions of individuals may have ended up in the hands of cybercriminals .  A lot has already been reported in the news about this data breach, but what can we actually learn from the incident?

The facts at a glance

The 139 companies that have filed a report with the AP work together with a number of different market agencies, all of which use the same software supplier: Nebu. The market agency that is most often associated with the data breach in the media is Blauw Research (hereinafter: Blauw). Blauw conducts customer satisfaction surveys on behalf of various organisations, including  NS, VodafoneZiggo, health insurer CZ and the “Rijksdienst voor Ondernemend Nederland” (the Netherlands Enterprise Agency).

When asked about the cause of the data breach, Blauw and the other market agencies have pointed to Nebu. Nebu provides companies with software solutions for market research. On March 10 and 11, Nebu fell victim to a cyberattack. In doing so, the attackers captured data. Exactly what data the attacker was able to steal, is not yet known. Blauw states that it  "in principle" only stores the name, e-mail address, customer type and survey results of the data subjects. Whether this data has actually been leaked, remains to be determined from the investigation into the data breach that is currently being undertaken. NS emphasises in any case that financial data or passwords were not involved.

Proceedings for interim measures

After Nebu informed Blauw about the data breach, Blauw asked Nebu to provide more information about the exact facts of the breach, the cause of the breach and whether the data breach could reasonably have been prevented. When Nebu did not provide this information, Blauw filed proceedings for interim measures against Nebu with the District Court of Rotterdam demanding information about the data breach and an external forensic investigation into the cause of the breach.  

In its decision, the court looks, among other things, at the interpretation of the processing agreement between Blauw and Nebu. The agreement states, among other things, that Blauw will be informed immediately (or in any case within 24 hours after the occurrence of the incident) of any incident in connection with the processing of personal data, Nebu will fully cooperate with Blauw and will follow instructions from Blauw in this regard. So Blauw is enabled to properly investigate the incident, formulate a response to the outside world and take appropriate follow-up steps. The included clause is based on the information and assistance obligation of the processor formulated in Article 28(3) GDPR.

According to the judge in the proceedings, Nebu must comply with these obligations in a "loyal and generous manner". The court therefore largely upheld Blauw's claims in the proceedings. Nebu must, among other things, provide information about the details of the cyber attack and recovery of the systems, whose personal data was leaked, who the perpetrators of the cyber attack are and the measures taken by Nebu. The requirement to conduct an external forensic investigation into the cause of the leak was also granted by the court: within five working days of the ruling, Nebu must bring an external party on board to carry out this investigation. The report must be delivered within 4 weeks.

Data breaches at software suppliers are no longer a surprise

Nebu’s data breach fits within a trend identified by the AP in which IT suppliers are increasingly falling victim to cyber attacks.  The trend can be easily explained: there is simply a lot to be gained from IT suppliers. They often have a collection of personal data from different organizations on their servers. As a result, the impact of a data breach at an IT supplier is very large, as the data breach in question shows.

In view of the above, it is undoubtedly important for such suppliers that the personal data they process is properly secured. They are also legally obliged to do so. Article 32 GDPR requires both controllers and processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.  In this context, it does not matter whether a party qualifies as a processor or controller; the security must always be sufficient.

What can organizations do in concrete terms to limit the chance of a security incident at a software supplier and to mitigate the risks?

Nebu is an ISO 27001 certified company that claims to have 25 years of experience in building and offering software solutions. At first glance, Nebu therefore seems  to be a reliable partner with solid security.  In retrospect, it turns out that Nebu may not have  had the security in order after all. In addition to requesting security certificates, what can organizations do to limit the chance of a security incident with a software vendor?

In a previous blog I had indicated that certification mechanisms – such as ISO 27001 – often only relate to the governance of  information security and say little about the actual level of security. It is therefore wise for organizations not only to record in a processor agreement that an organization must comply with certain standards, but also to check whether the processor in question actually complies with these standards. This can be done by carrying out an audit yourself or by requesting a recent Third Party Communication (TPM) from the supplier itself.  A TPM is a statement issued by an independent audit party about the quality of an ICT service and control of an organization.  In addition, it is important to make good agreements with the processor about the provision of assistance and the provision of information in the event of a data breach.  To be more sure that a processor knows how to act in such a case, you can, for example, request an incident response plan.  If the processor does not appear to have this, that is usually a bad sign.