Dutch DPA: more ransomware attacks than known so far

Themes:
Data breaches
Security of personal data

In 2023, there were more ransomware attacks in the Netherlands than generally known so far. This can be concluded from the first ransomware report of the Dutch Data Protection Authority (Dutch DPA). Throughout 2023, the Dutch DPA found at least 178 successful attacks. Since one attack often affects several organisations at the same time, the total number of organisations affected will be in the hundreds. Personal data of millions of people in the Netherlands were affected.

‘Ransomware attacks are a dangerous trend, claiming a serious number of victims’, Dutch DPA chairman Aleid Wolfsen says. ‘Figures of the Dutch DPA now show that this danger is even greater than thought. This should be a warning for everyone. Organisations in the Netherlands: do not become the next victim, make sure that you have your digital security in order.’

Millions of data

During a ransomware attack, hackers break into the digital systems of an organisation. They use special software to take files full of privacy-sensitive data 'hostage'. The hackers demand a ransom to make the files accessible again. They may also threaten to sell the encrypted data to other criminals or even publish them.

The Dutch DPA sees that cyber criminals sometimes target one specific company in a given sector. But also that they regularly attack IT suppliers who manage data on behalf of a series of companies from all kinds of sectors. If such an attack is successful, the hackers affect numerous organisations – and therefore, in the end, also the many people whose data have been stored at all those organisations.

Wolfsen: ‘The size of a ransomware attack increases exponentially very soon, the damage multiplies at the speed of light. Do not underestimate that.’

One specific ransomware attack last year affected more than 200 organisations at the same time, with data of as many as 2.5 million people in the Netherlands.

Tips for organisations

Wolfsen: ‘As an organisation, you may suffer significant financial damage. When your systems are held hostage, you literally cannot work. And as an individual, you run the risk of your privacy-sensitive data becoming public knowledge. That is why the Dutch DPA has compiled this ransomware report: to warn, and to give organisations tips on how they can make themselves less vulnerable to cyber attacks.’

Obligation to report to the Dutch DPA

So far, it was estimated that there were over 140 ransomware attacks in the Netherlands last year. This figure originates from other agencies dealing with this theme. That the Dutch DPA counted more ransomware attacks may possibly be caused by the role of the Dutch DPA as supervisory authority for the legal obligation to report in the case of data breaches.

Wolfsen: ‘A data breach is when something goes wrong, as a result of which personal data may end up with the wrong people. In the case of a ransomware attack, that chance is substantial, of course. An affected organisation is obliged to report such a breach to the Dutch DPA. However, reporting such an incident to other agencies is not always mandatory. This explains why the Dutch DPA has a relatively strong insight into the number of ransomware attacks in the Netherlands.’

Further insights

For the ransomware report, the Dutch DPA has asked the affected organisations to cooperate in further investigations. A total of 90 organisations have been investigated. Added together, data sets with many millions of pieces of personal information, varying from emails and telephone numbers to passport copies, bank account numbers and passwords, were involved in the ransomware attacks in question.

Other conclusions of the Dutch DPA:

  • Most organisations did not have the basic security of their systems in order, thus enabling hackers to seize the opportunity. It mainly concerns multifactor authentication that is missing, a bad password policy, and failure to update software in time. 
    It also regularly happens that sensitive data are stored on one server instead of several networks. This accumulation makes organisations vulnerable to cyber attacks.
  • The Dutch DPA recognises the trend of 'double extortion' in the case of ransomware. Not only do hackers make data inaccessible by locking them, they also increasingly threaten to sell or publish the data if payment is not made fast. Almost half of the organisations who spoke to the Dutch DPA indicated that they had experienced this double extortion.
  • The vast majority of organisations (82 out of 90) state that they did not pay any ransom to hackers. The Dutch DPA is against such payments: they sustain a criminal revenue model and they do not guarantee that you, as an organisation, actually get your encrypted data back.

Publications