It is becoming increasingly clear about the scope of the data breach at a software supplier of market researchers. After the NS and VodafoneZiggo informed hundreds of thousands of customers in recent days about the possible theft of their personal data, it now appears that customer data from the Dutch Golf Federationworking conditions service ArboNed and transport company Trevvel to have been leaked.
Health insurer CZ and the Friends of Amstel Live have also announced that they have been affected by the leak. The NOS calculates that at least two million Dutch customer data have been stolen. In addition, data from one person may appear more often in the database, because they have been customers of several companies or have participated in market research.
The affected companies largely worked with market research agency Blauw, which uses software from supplier Nebu for customer research. According to Blauw, third parties at Nebu have had access to data they collect for clients and data for their own satisfaction survey. In a declaration Blauw writes that the supplier has confirmed on March 27 that data has been stolen, but has not yet provided any clarity about exactly what data has been stolen.
summary judgment
The market research agency has now filed summary proceedings against Nebu to obtain more information about the leak, says CEO Jos Vink at the ANP news agency. The summary proceedings will be heard next Tuesday, unless Nebu provides clarity to Blauw before then about which data is part of the leak and how it could have happened. NRC asked Nebu for a response.
Customer data from surveys via market research agency UPS are also part of the data leak, the company reports on the site. In the Netherlands, this may involve 100,000 to 150,000 people via 52 clients of the agency. The Arnhem housing corporation USP reports that 20,000 to 22,000 tenants may have been affected. Haag Wonen in The Hague (22,000 tenants) and Corporatie Stadgenoot from Amsterdam (15,000 people) also say they are victims.
The Dutch Data Protection Authority has asked the parties involved in the leak for clarification, a spokesperson confirms. “This is an exceptional case that has our full attention.” The spokesperson cannot confirm the two million customer data mentioned by the NOS, but he does speak of a “very large incident”.