Cyber Incident Victim: Thermae 2000
Date:
Sep 2023
Location:
Netherlands
Summary
A ransomware attack targeted Thermae 2000, a wellness center, leading to encrypted systems and potential unauthorized access to customer data, though specific impacts remain undetermined. The organization notified authorities and warned customers to change passwords and watch for phishing attempts, confirming no ransom was paid. Medical records remained secure due to isolation in a separate digital environment, and no imagery from private areas was compromised as surveillance cameras were absent in those zones. The attackers exploited undisclosed vulnerabilities in what the victim described as an advanced incident. Systems were restored using verified backups with enhanced security measures, and operations resumed fully following the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 5, 2023, Thermae 2000, a wellness center in Valkenburg, Limburg, reported a ransomware attack to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The attack occurred earlier that week, with Security.NL specifying it took place the prior week, though the exact date remains undisclosed. Hackers deployed advanced ransomware to encrypt the company’s data, rendering systems inaccessible until a ransom payment was made. Thermae 2000 immediately shut down its IT systems upon detecting the breach and initiated an investigation with cybersecurity experts to assess the scope. The attackers’ method of infiltration was not disclosed, though the company emphasized the sophistication of the attack while providing no technical justification for this characterization. Thermae confirmed it did not pay any ransom, citing such actions as unwise under the circumstances.
The company notified customers via email about the potential compromise of personal data, though it could not confirm whether attackers accessed its client database. Customers were advised to change account passwords and remain vigilant against phishing attempts. Thermae explicitly reassured patrons that no security cameras were positioned in areas where guests were nude or in swimwear, eliminating risks of stolen intimate imagery. Medical records stored in a separate digital environment remained unaffected by the attack. Restoration efforts relied on verified backups, which experts scrutinized before data was migrated to new systems with enhanced security measures. All operations resumed fully following this recovery process, with no lingering disruptions reported. The incident highlighted operational vulnerabilities despite the company’s assertion of robust pre-attack security measures comparable to industry standards.