This week has seen a torrent of privacy-related news stories, with a number of Dutch companies announcing that some of their customers had been affected by a major data leak. Were you one of the people to receive an email saying your private data had been leaked? Here’s what we know about the Dutch data breach that hit the Netherlands this week. 

Why and how have Dutch companies been affected by data breaches?

While a range of companies have been hit by data breaches this week, all incidents stemmed from just one source: Nebu, a software company based in Wormerveer, a town located to the north of Amsterdam. Nebu specialises in software that allows companies to conduct customer surveys - software that was used by Netherlands-based research agencies which, in turn, were utilised by various Dutch companies to carry out customer satisfaction surveys. 

Nebu, where the private information gathered in these surveys is stored, is the source of the data leak. It’s not yet clear what happened - Nebu is yet to confirm whether the breach was the result of a targeted attack, or simply an accident caused by a worker misplacing a company laptop, for example. 

Which companies have been affected by the Nebu breach?

So far, it has been confirmed that the data breach at Nebu has affected Nederlandse Spoorwegen (NS), VodafoneZiggo, ArboNed, Heineken, International Film Festival Rotterdam (IFFR), the Dutch Golf Federation, CZ (a health insurance provider), Trevvel (a company offering transportation for healthcare services), and the Dutch Rental Commission (Huurcommissie). 

All companies and organisations affected by the breach are required to inform their customers that their private information has (potentially) been leaked. It’s expected that, over the coming days and weeks, more companies will get in touch with customers to inform them of the breach.

How many people in the Netherlands have been affected?

Since NS first broke the news of the breach in their customers' data earlier this week, the scale of the incident has grown. According to NOS, it’s now estimated that at least 2 million people in the Netherlands have been affected. 

The Dutch government has reported that it was not affected by the breach.

What data has been leaked? Should you be worried?

In the case of this breach, the data that has been leaked normally concerns names, email addresses and phone numbers, but some of the research agencies affected have said they’re not yet sure exactly what data has been leaked.

If your data was leaked as a result of the breach, then you will be informed, generally via email, by the relevant company. While the situation certainly isn’t ideal, RTL Nieuws reports that there’s minimal cause for concern: “Cybercriminals can't do much with just an email address and phone number.” As this breach hasn’t affected account log-in details, those affected aren’t required to take any immediate action such as changing their passwords. 

However, issues could potentially arise if someone out there is able to connect the data leaked in this breach to other personal data, such as your bank account number. With this information, scammers might be able to contact you with personalised phishing emails, claiming to be from your bank.

Of course, it’s also important to note that no one knows where the data is, and there’s no guarantee that the information has fallen into the wrong hands.

What happens next?

At the moment, little is known about the cause and consequences of the breach at Nebu. The Dutch Data Protection Authority has so far been unable to draw up a comprehensive picture of what exactly happened, but has launched an investigation into the incident. 

Some of the research agencies that were affected by the breach have filed summary proceedings against Nebu, calling on the company to provide more information about the leak. The hearing is scheduled to take place on Tuesday, April 4.

Thumb: Thapana_Studio via Shutterstock.com.