Cyber Incident Victim: Regionale Belasting Groep

On May 24, 2024, Regionale Belasting Groep (RBG) disclosed a ransomware attack impacting one of its suppliers responsible for automating the distribution of tax assessments and payment reminders for multiple tax offices and businesses. Cybercriminals encrypted the supplier’s files, potentially exfiltrating personal and business data belonging to RBG clients. The compromised information may include names, addresses, residence details, citizen service numbers (BSN), bank account numbers, email addresses, and property ownership records for residential and commercial buildings. RBG confirmed its own systems remained uncompromised, with no evidence of unauthorized access to its tax infrastructure. The supplier initiated an investigation with assistance from a cybersecurity specialist to determine the scope of data theft, though no sale or public disclosure of encrypted data had occurred at the time of reporting.

RBG severed all digital connections with the supplier immediately upon detecting the incident and conducted internal audits confirming the integrity of its tax processing systems. The organization notified municipalities, water authorities, and other relevant entities it serves, while submitting a preliminary data breach notification to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The supplier, which provides services to approximately 60 companies and government agencies, focused on restoring secured operations and mitigating damage. RBG maintained customer access to its secure "Mijn RBG" portal for digital tax affairs but advised vigilance against potential phishing attempts leveraging stolen data. Ongoing coordination with the supplier continues, with RBG committing to public updates once forensic analysis confirms the specific nature and extent of compromised data. The investigation remains active, with no confirmed timeline for resolution.