Cyberlands.io - API Penetration Testing

Top 15 Cybersecurity Breaches in the Netherlands

Learn about the state of cybersecurity in the Netherlands and the 15 biggest breaches in this country.
With hacking attacks, breaches, and data leaks becoming more and more severe, digital security has already become one of the most critical trends to consider in the upcoming years. From a tight-on-budget small startup to large corporations with large fortunes – all of those are heavily investing in the cybersecurity of their digital assets, and not without reason.

According to SonicWall's 2022 Cyber Threat Report, almost every category of cyberattack increased in volume throughout 2021. As compared to recent years, in 2021 attacks on networks increased significantly, including ransomware, cryptojacking, vulnerability exploitation, phishing, and other attacks, hitting organizations across different industries all around the world.

In terms of what companies are most worried about, the top priorities have been taken by the following cyber threats:

  • Phishing attacks (77%)

  • Ransomware (73%)

  • Data breaches (68%)

  • Business email compromise (63%)

  • Employee data breaches (56%)

Talking about the Netherlands, the country has extremely strong information technology capabilities, anchored by a robust digital infrastructure. In 2021, the Dutch urged to invest €833 million in cybersecurity, the Cyber Security Council (CSR) said. With over 98% of households having a broadband connection, the Netherlands has become a leading cybersecurity hub in Europe and home to Europe's largest security cluster, the Hague Security Delta (HSD).

Therefore, prioritizing the cybersecurity field, accelerating the adoption and use of the latest security approaches and technologies, and heavily investing in the country's networks, information systems, private sector, and public services are essential for any company or institution operating in the Netherlands.

In this article, we'll discuss the most notable cybersecurity incidents in the Netherlands, analyzing the real-case experience of companies, and the cases and outcomes of each. As a business owner, you'll be able to identify the most common reasons for system breaches, how to act when faced with similar cases, and insights on how to secure your digital assets from being hacked online.

Let's get this started!
#1 Dutch CA Company Has Been Breached: Several Hundred Certificates Had Been Faked
DigiNotar, the Dutch certificate authority (CA) company, has announced a major security breach in September 2011, resulting in the fraudulent issuance of public key certificate requests for multiple domains.

The attachment was detected a few weeks before, which came to be known in the company's official press release. However, it took several months of time until DigiNotar revealed the number of certificates issued: the company initially reassured the public that all the fraudulent certificates had been revoked.

What is more, one of the certificates was overlooked and detected later on with the report of the Dutch government.

After the detailed incident analysis, it became obvious that the scale of the attack was underrated, with over several hundred fake certificates issued. According to the investigation by Fox-IT, a total of 531 fraudulent certificates were issued for 344 domain names. What is more, over 300,000 Gmail accounts - mostly in Iran - had been compromised as a result of this breach.

The negative impact of the attack was so massive that the company was forced to stop its operations after it.
#2 Uber Got a Penalty of €460,000 Due to the PDPA Violation
The Uber corporation has imposed a penalty for failing to notify the Dutch Data Protection Authority (DPA) and the relevant data subjects of a data breach within 72 hours of discovery.

The authoritative sources revealed that the breach occurred in early 2016 and

lasted nearly 48 hours. During this period, the criminals performed unauthorized access to drivers' and customers' personal data and affected over 57 million users across the globe, including 174,000 Dutch users. The personal data breached included various sorts of data, including names, contact details, vehicle registration numbers, payment information, scores, and ratings.

It remains uncertain whether the data exposed was resold for phishing, unwanted advertising, and colportage

It's also worth mentioning that the target fine was the first significant fine ever imposed by the Dutch DPA for violation of privacy regulation, also known in Europe as the GDPR standard.
#3 Dutch Startup Exposed User Address and License Plate As a Result of a Breach
SnappCar, a peer-to-peer car sharing community reported about the massive data breach in July 2019, which affected the personal details of over 50,000 accounts.

According to the technical overview of the given cyber incident, the personal data exposed included the address details and license plates of car rental companies. SnappCar also highlighted that "no other type of data (such as passwords, email addresses or financial data) was ever accessible publicly", the same statement referred to the renters' data.

For some reason, this sensitive data was accessed without being logged in with the SnappCar account, which indicates a low-security level of the vendor's API.

After the incident was revealed, the company rapidly reacted and resolved the system issue within a day. Also, it has informed about the breach to the Dutch Data Protection Authority, as per the law.
#4 Netherlands Hospital Hit a Giant GDPR Data Breach Fine of €460,000
In July 2019, the Netherlands Haga hospital was fined €460,000 for poor patient file security. According to the comprehensive report of the Dutch privacy watchdog Authoriteit Persoonsgegevens, this fine is related to the case of one of Haga's patients, Samantha de Jong, better known as Barbie, who was hospitalized after a suicide attempt last year.

The official comments on the incident revealed her medical records, which must be completely confidential regardless of the patient's status and diseases, had been accessed by dozens of unauthorized members of staff.

Additionally, the hospital was given three months until October 2, 2019, to improve the data security system, otherwise, a further fine will be issued at a rate of €100,000 every two weeks up to a maximum of €300,000. Haga Hospital accepted the suggestion and implemented the required measures to improve its system security.
#5 Netherlands' Coronavirus Track-and-Trace Programme Has Been Leaked
The incident of a massive personal data leakage was reported by Dutch health authorities (GGD) on January 29, 2021. According to the GGD's official report to the media, the patient data has been stolen with two separate leaks, potentially affecting thousands of people across the country.

In their statement, Dutch health authorities couldn't state the accurate number of people affected, only informing that it leaked from their core track-and-trace system. Netherlands' tracking smartphone apps, which were closely scrutinized for potential privacy weaknesses, claimed to remain unaffected.

Also, the GGD acknowledged publicity they're cooperating with the police, justice, and data and cybercrime specialists to identify the data leakage causes, as well as the criminals responsible for the incident. As for the stolen data, it has been offered for sale online, though it's still unclear whether it was actually purchased by third parties.
#6 OLVG Hospital Was Fined Due to the Insufficient Protection of PHI
Amsterdam-based hospital OLVG met the fine of €440,000 issued by the Dutch Data Protection Authority (DPA) in February 2021. The reason for this was the poor security of the patient's medical data, which as of the time of revision could be accessed by unauthorized parties.

As a result of the non-biased investigation launched by DPA, the authority has revealed two serious violations related to medical records storage. First, the OLVG didn't have the automated logging procedure for the medical files accessed, as well as didn't record and check the cases of unauthorized data access. Secondly, the OLVG hasn't implemented the two-factor authentication to identify a user who wants access to a patient record.

After the system security investigation was completed, OLVG eliminated the existing issues and improved its internal systems to fully meet the current DPA's security guidelines.
#7 Dutch Research Council Servers Reported to Be Compromised
In February 2021, Dutch Research Council (NWO) reported that some of its servers were compromised as a result of a ransomware attack on its servers. Due to this incident, the organization has suspended the subsidy allocation for the foreseeable future.

With their network down, NWO applications remain unavailable for some time, including their email service (Outlook) and the online resources of two entities it operates: the Netherlands Initiative for Education Research (NRO) and the National Governing Body for Practice-oriented Research SIA.

The details about the attack type, causes, and malware applied remain unavailable, as well as the information about the criminals responsible for the attack. The organization refused to comment on the situation of the system attack while the investigation and until the NWO security system is fully recovered.

Being a reputable entity in the Netherlands, NWO funds thousands of researchers at universities and institutes in the country, so its security breach has significantly affected the performance of hundreds of entities across the globe.
#8 Car Owner Database With Over 7.3 Million Was Sold on a Hacking Forum
RDC, one of the largest garage and maintenance service providers has confirmed a data breach that occurred on March 25, 2021, which resulted in the leakage of the personal and vehicle details of millions of Dutch car owners. The incident has been revealed after the stolen data was offered for sale on a cybercrime forum.

According to the case study of one of the authoritative resources, the data exposed include the details such as (company/individual) names, home addresses, email addresses, telephone numbers, dates of birth, vehicle registration numbers, car makes & models, and license plates.

Due to the revealed accident, RDC initiated an internal investigation, confirming the ransomware has gained access to over 60% of its customer entities. And the company also said it has notified the authorities and affected clients of the data breach and is actively contributing to investigating the security incident.
#9 Booking.com Leaked the Personal Data of Over 4,000 Customers
In March 2021, the world's famous service Booking.com hit a fine of €475,000 for missing a 72-hour deadline to report the breach to the regulator, informing about the system intrusion a month after it occurred.

Due to the results of the internal investigation, criminals obtained the financial data of nearly 300 victims, including their credit cards and CVV codes. Due to the high priority of financial data, this incident has significantly affected the company's reputation. According to Forbes' sources, the hackers also attempted to get the banking information of other clients by posing as an employee of Booking.com by email or telephone.

The company's spokesperson claimed the fine is related specifically to the late notification to them of this incident, which is not linked to Booking.com's security, nor the overall data breach incident in particular.
#10 Dutch Largest Logistics Service Provider Fall Victim to a Ransomware Attack
One of the most reputable food-logistics firms in the Netherlands reported a ransomware attack that encrypted devices on their network. The incident became known in April 2021, after the employees discovered they couldn't plan transport-related operations on the internal system.

The firm's director didn't share the details on the hacking attack but said he suspects hackers exploited the tech flaw of the Microsoft Exchanges Server system. According to the official sources, the company managed to restore the affected systems from backups, but it's still unclear whether the ransomware was paid for getting the data back, as well as the identities of the people responsible for hitting the warehousing and transportation provider.

As a result of this technical malfunction, the logistics company was forced to disrupt fulfillment operations while working on the internal investigation of this incident. Thus, interruption led to a shortage of some food products, especially cheese.
#11 Overijssel Chapter of the Freedom Party (PVV) Failed to Report a Data Breach
Another DPA fine of €7,500 was imposed on the Overijssel chapter of the Freedom Party (PVV) in May 2021. According to the initial information about the breach, the company hasn't provided the data breach report to the corresponding local authorities.

The data breach arose from an email about a meeting of supporters, which referred to 101 addressees as 'friends of the PVV'. As a result of an employee error, the names and email addresses of all the addresses were visible to everyone who received the invitation. In particular, the political opinions of the addressees were therefore disclosed as well.

According to the latest replacement of data breach occurrences, businesses and public authorities must report such breaches within 72 hours. The affected parties can then get expert assistance in notifying the victims, eliminating the results, and clear guides on the security improvements.
#12 Russian Hackers Breached Dutch Police Systems
In June 2021, the Dutch governmental structure revealed a massive system breach, which had been initiated by a hacker group from Russia. The incident was traced back to September 2017, when the country's been investigating the MH-17 crash.

According to the official information, the intrusion was kept under wraps by Dutch investigators and uncovered by AIVD, the Dutch intelligence service. The last one identified the Dutch police IP address communicating with known malicious servers operated by Russian state-sponsored threat actors and alerted Dutch police about the system penetration.

Volkskrant, an independent newspaper resource, said that both parties have very little knowledge of the incident details, mainly due to the lack of monitoring and logging. Additionally, it still remains uncertain what the hackers did inside the police network and what ransomware group is actually responsible for the given attack. Neither Dutch police nor the AIVD confirmed or commented on the information about the system breach.
#13 VelzArt Tech Provider Fell Victim to the Kaseya Ransomware Attack
In July 2021, Dutch technology provider, VelzArt, reported a serious attack on its internal systems, which affected over 30 of its employees.

In fact, VelzArt was only one of the hundreds of organizations affected by the Kaseya ransomware episode. After the attack was revealed, the tech provider immediately reported to the local authorities and affected clients, transporting the computers of the last ones back to their corporate headquarters for repair. Luckily, the breached hardware analysis has shown there were no Kaseya VSA patches or any other malware that could have potentially hit the clients' system security.

Unlike most of the other affected firms, VelzArt has been continually posting updates on the investigation process, explaining how the attack affected customers and what measures have been taken to prevent possible incidents in the future. Some of the highlights for other companies to learn from this incident include communication, backups, and collaborative recovery practices, which have been extensively implemented in the process.
#14 Transavia Airline Has Been Fined €400,000 Due to the Poor Data Security
In November 2021, airline Transavia was accused of providing poor data security and hit by a €400,000 fine issued by the local Data Protection Authority (DPA) in Dutch. This became known after the hackers managed to access the personal data of over 25 million passengers of the given company.

Once the incident had been discovered, the company reported the data breach to the AP in time and informed the parties involved according to the local regulations. During the internal investigation of this incident, Transavia revealed ransomware managed to steal the data of nearly 83,000 clients, which included names, dates of birth, gender, email addresses, telephone numbers, flight information, and booking numbers. Additionally, the stolen data included the medical information of 367 people with disabilities, who requested taking a wheelchair or add-on services due to special medical conditions such as blindness or deafness.
#15 Dutch University Has Experienced a Ransomware Attack
In December 2019, the University of Maastricht reported a ransomware attack on its internal systems, which affected students and staff in gaining access to email, research, and specific data platforms.

To restore the access, hackers requested a 30 Bitcoins payment in ransom, which at the time of the incident was worth about €197,000. Under the police advice and moral objection against paying the ransom, the university has admitted to paying criminals. Therefore, it was able to conduct exams "more or less as planned" and suffered "little or no irreparable damage".

Later on, in 2022, the university managed to recover $550,000 lost as a result of a hack, which jumped in value from $220,000 in 2019. The university is planning to use the retrieved funds for students in need, the pandemic-affected, and other vulnerable student groups.
Conclusion
As you can see, even the most reputable companies and brands with billion euro investments in cybersecurity cannot be always 100% sure of the complete security of their assets in digital. Regardless of the industry, business owners need to be proactive to continually improve the system security from ransomware attacks, timely identify the vulnerabilities and implement the latest practices that will help to ensure the company's smooth operation at any time.

We hope that the infamous experience of the Netherlands' most reputable enterprises has helped you to gain some useful insights on what aspects to consider when planning a cybersecurity strategy for your company.

However, if you need expert assistance in securing your business online, contact Cyberlands right away! Our team is always ready to provide first-class assistance in any security challenge and guard your enterprise against nearly any ransomware attack!
Cyberlands.io Team