AP warns: risks of cyberattacks are often underestimated
Too many organisations in the Netherlands that are hit by a cyberattack fail to warn people that their data has fallen into the wrong hands. Organisations often underestimate the risks of the attack, namely in 7 out of 10 cases. As a result, the people whose personal data has been breached cannot protect themselves against possible fraud or other crimes by cybercriminals.
The Dutch Data Protection Authority (AP) warns about this in the annual overview of data breach reports in the Netherlands. ‘Don’t underestimate it; with your data in hand, criminals can really harm you’, explains AP chairman Aleid Wolfsen. ‘They can use your telephone number or e-mail address to send you payment requests that you may accidentally click on. A copy of your passport can be used by someone else to take out a loan in your name. Your data is invaluable to criminals.’
In total, the AP received more than 25,000 reports of a data breach in 2023. All in all, approximately 20 million people became victims.
Duty to report data breaches
It is not without reason that organisations are by law obliged to warn people if there is a high risk after a data breach. In practice, however, the AP notices that organisations often underestimate the risks. As a result, they do not inform people that their personal data has been breached.
Wolfsen: ‘This is extremely worrying. People must be able to trust that organisations handle their personal data correctly. This also means an organisation must inform you properly if something unfortunately goes wrong with your data. Because how can you keep control of your life if you are not told what happens to your data?’
Primary responsibility
In 2023, more than 1,300 data breaches involved a cyberattack. Cyberattackers often target IT suppliers. Organisations hire IT suppliers to manage what are often large amounts of personal data. These hiring organisations generally remain responsible if anything happens to this data. They must therefore inform people themselves if their personal data at the IT supplier has fallen into the wrong hands.
Wolfsen: ‘Digitalisation brings opportunities, but also risks. That makes it all the more important to keep people well informed.’
Interventions by the AP
The AP monitors whether organisations that have to inform victims actually do so. This also means the AP can intervene. This happened, for instance, in 2023 after a major data breach that followed a cyberattack on IT supplier Nebu. The AP urged more than 30 Nebu customers to inform the victims after it became known that these organisations had initially decided not to do so. This intervention by the AP enabled approximately 50,000 people to defend themselves against potential cybercriminals.
Wolfsen: ‘That was a specific example of the AP’s actions. But the goal is for organisations to take responsibility on their own initiative. That’s what it’s about.’