A massive data breach first reported in the Netherlands this week now also includes at least some sensitive financial information. The leak now includes the income data of people who are still accruing a pension with the PME Pension Fund, in addition to their names, genders, ages, and phone numbers. The data of roughly two million residents of the Netherlands may have been stolen in a cybercrime when outside parties reportedly used a security hole and managed to gain access to companies using software from Nebu, according to the latest figures. Nebu’s software is used by several market researchers in the Netherlands. The company has not commented on the massive data breach, and neither has its publicly-traded Canadian parent, Enghouse Systems. One lawsuit has already been filed in the matter.

PME represents metal and tech workers. The organization already announced on Thursday that it may have been one of the many firms affected by the data breach. However, the possibility that financial data also leaked out was reported on Friday. About 170,000 current workers are still building a pension at PME. Their bank account numbers, home addresses, citizen identification numbers and email addresses have not leaked out.

PME is one of many organizations working with Blauw, who was the first marketing research firm to report that an outside party gained access to Nebu’s network. Nebu is headquartered in Wormerveer, Noord-Holland, with an office in Debrecen, Hungary, and is owned by Canadian parent company Enghouse Systems. Some of Blauw’s other clients include national railway NS, telecom operator VodafoneZiggo, the Dutch golf association, and the Netherlands Enterprise Agency (RVO).

List of organizations hit in data breach continues to grow

About 780,000 records were stolen related to NS customers who filled out a survey. Another 700,000 VodafoneZiggo clients did the same, as well as over 100,000 golfers who participate in one of the 29 sports associations linked to the Nederlandse Golffederatie. Still 27,000 more were tied to the RVO, which is part of the Ministry of Economic Affairs and Climate. This pertains mainly to entrepreneurs, with the RVO being a key link for businesses looking to apply for subsidies, financial support and investment from the Dutch government.

This breach potentially affected many other companies that work with Blauw, including thousands who participated in studies for ProRail, Nationale Postcode Loterij, health insurer CZ, Heineken, ArboNed and Trevvel. The data is believed to concern personally identifiable information, like names, address details, email addresses, and contact phone numbers, but not payment information or account numbers.

On Thursday, market research firm USP announced that it was also the victim in the same data leak. The company also works with Nebu as a software vendor. USP’s clients include social housing firms Stadgenoot in Amsterdam, Haag Wonen in The Hague, Vivare in Arnhem, Eelder Woningbouw in Drenthe, Woonstichting Hulst in Zeeland, and Poort6 in Gorinchem.

The data of a total of between 100,000 to 150,000 residents of the Netherlands may have been stolen from USP clients, including names, home addressees, email addresses, and telephone numbers. The data of another 350,000 others not based in The Netherlands may have also been stolen, said USP, which has 52 clients in total. USP believes between five and ten other large Dutch market agencies may have been hit in the same leak.

Lawsuit readied over Nebu’s silence, Enghouse Systems remaining quiet

Nevertheless, USP plans to continue working with Nebu for now. “There is no guarantee that this will not happen to another party. We have to be careful and realize that hacking is part of the order of the day. We have been using software from Nebu for 20 years and this is the first problem,” said Jan-Paul Strop, the head of USP.

However, Blauw CEO Jos Link was aggravated that Nebu has provided very little information, he said on Thursday. Blauw is filing a lawsuit to demand more information from Nebu about the leak. The case will be heard on Tuesday. Blauw wants to know exactly which personal data was taken, and how it could have happened. If the software supplier provides clarity before Tuesday, Blauw will drop the lawsuit.

Enghouse Systems is listed on the Toronto Stock Exchange. The company generated 427.6 million dollars in revenue during its last fiscal year, with a profit of 94.5 million dollars. Enghouse Systems took over Nebu in June 2021. At the time, it bragged about Nebu’s ISO 27001 certification, a global information systems security standard. The documentation shown on Nebu’s website indicates that this certification was issued in Budapest, and expired two weeks ago.

Companies need to be much more careful with protecting data, says Dutch DPA

The Dutch Data Protection Authority (AP) has not ruled out the possibility that more companies and organizations will report that private customer data may become public as a result of the major data breach. “It is clear that this has our great attention, we are trying to get a clearer picture of the leak,” said the spokesperson for the Dutch Data Protection Association (AP).

The privacy regulator spokesperson said companies must also be more aware of their responsibility when passing on personal data. Businesses need to pay extra attention to protecting the personal data they have collected, he said. “Then you think, that’s an open door. But you should also be aware that as a company you are responsible for the personal data when you pass it on for market research.”

More limits needed on data collection, parliamentarians say

According to D66, businesses and also the government collect too much data from people, with the risk that it will leak out. That is why MP Hind Dekker-Abdulaziz argued for setting limits on this, she said in response to the issue. Fellow coalition partner VVD and opposition party PvdA are also concerned.

Dekker-Abdulaziz wants companies and governments to be held to “a data diet” and that data may also be kept for a shorter period of time. She also said she believes that too many employees within organizations have access to personal data. This week, the parliamentarian submitted a motion requesting that civil servants only be given access to personal data if this is demonstrably necessary to do their job.

“Cybercriminals are licking their fingers at this and can try to scam people in a very sophisticated way,” said Queeny Rajkowski of the VVD. Songül Mutluer (PvdA) is concerned that people who are already vulnerable will be harmed by the leak. Both MPs advocate measures to prevent a recurrence.