Cyber Incident Victim: USP Marketing Consultancy

USP Marketing Consultancy, a market research firm, experienced a data breach involving one of its software suppliers used to conduct client research projects. The incident stemmed from unauthorized access to the supplier’s network, potentially exposing data collected on behalf of USP’s clients, as well as data from its own satisfaction surveys. Compromised information included names, email addresses, and phone numbers used to invite participants to research studies, along with survey responses submitted by participants. USP first learned of the breach on March 24, 2023, when it received written confirmation from the supplier regarding the unauthorized network access. Four days later, on March 28, the supplier confirmed that data had been exfiltrated from its systems. USP stated it did not yet know the precise scope or content of the stolen data at the time of its public disclosure, though it initiated an investigation to determine which specific records were accessed or removed.

The breach impacted personal data processed for research operations as early as six months prior to March 2023. Businesses contacted by USP for telephone-based research during this period were warned that their corporate phone numbers may have been compromised. USP advised vigilance regarding suspicious phone calls or WhatsApp messages but did not disclose the number of affected individuals or organizations. In response to the incident, USP notified the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) about its own data holdings and directly informed all impacted clients. The company emphasized ongoing efforts to collaborate with the supplier’s investigation to trace the full extent of the breach while maintaining transparency with clients through regular updates. USP expressed regret over the incident but did not specify operational disruptions or financial repercussions resulting from the compromise.