Cyber Incident Victim: Nederlandse Spoorwegen

On March 25, 2023, Nederlandse Spoorwegen (NS) received notification from its market research partner Blauw regarding a potential data breach involving customer information. Blauw reported that a security incident had occurred at one of its suppliers, potentially exposing personal data of NS customers who had participated in customer satisfaction surveys conducted by Blauw. The breach did not involve NS's own systems but stemmed from compromised security at this third-party supplier in Blauw's supply chain. NS immediately initiated precautionary measures by sending email notifications to approximately 780,000 potentially affected customers, advising them to remain vigilant against potential phishing attempts. The exposed data included basic personal information such as names, email addresses, and telephone numbers, with the specific details varying depending on which survey each customer had completed. Importantly, no financial data, login credentials, or password information was compromised in the incident.

Blauw implemented immediate corrective actions upon discovering the breach, taking steps to secure the vulnerability and prevent similar incidents from recurring. NS emphasized that while customer data might have been exposed, the breach originated outside their direct infrastructure through Blauw's supplier network. The railway company formally reported the incident to the Dutch Data Protection Authority (Autoriteit Persoonsgeorevens) as required by data protection regulations. NS directed Blauw to conduct a thorough investigation into the circumstances that allowed the breach to occur, seeking to establish full accountability and remediation measures through their contractor. The primary operational impact centered on heightened phishing risks for affected customers due to the exposure of contact information, though no direct operational disruptions to NS's transportation services or internal systems resulted from this third-party data compromise.