Cyber Incident Victim: PME Pensioenfonds

On or around March 28, 2023, PME pensioenfonds was informed of a data breach. The incident did not originate within PME's own systems but occurred at a software supplier used by a research bureau with which PME works. This event impacted multiple other organizations besides PME. Upon being notified, PME immediately initiated an internal process to determine the precise scope and nature of the data involved in the breach. The primary objective was to ascertain which specific data pertaining to PME's stakeholders had been potentially exposed due to the third-party supplier's incident.

PME engaged in close cooperation with specialized external research bureaus to investigate the breach's ramifications. A central line of inquiry was to determine whether unauthorized individuals had actually viewed or stolen the data. The investigation also focused on tracing the data's subsequent trajectory, specifically examining if it had been published or made available on the internet, including on the darkweb. Following this extensive analysis, no concrete evidence was found to indicate that the data had been viewed by unauthorized parties or had been placed online.

As a standard precautionary measure and in compliance with regulatory obligations, PME formally reported the cybercrime incident to the police. A separate notification was made to the Autoriteit Persoonsgevens (AP), the Dutch Data Protection Authority, to report the personal data breach. PME also proactively established contact with other relevant authorities as part of its response protocol. Understanding the potential risk to individuals, PME took steps to inform potentially affected stakeholders out of an abundance of caution, ensuring they were aware of the situation.

A significant component of the response involved guiding those potentially affected on how to protect themselves from potential secondary attacks. PME issued a warning to remain alert for phishing messages or suspicious phone calls. These types of communications often leverage personal information obtained from various sources and data breaches to appear more trustworthy, with the ultimate goal of harvesting more data or convincing individuals to make payments. The guidance advised individuals to hang up, not click on links, and never share personal information if a communication seems suspicious. PME explicitly stated that it would never initiate contact via WhatsApp or SMS, nor would it ever use those channels to request payments or the transmission of personal or other confidential data. Stakeomers were directed to the Dutch government's security website, veiliginternetten.nl, for further information on phishing and safe internet practices.

To maintain ongoing vigilance, PME contracted a reputable IT security company to perform periodic checks. This ongoing monitoring is designed to continuously scan the internet and darkweb for any signs that the exposed data might appear at a later date. PME committed to providing updates on its dedicated webpage as new information became available. The organization reiterated its continuous commitment to working on the improvement of personal data security, treating the incident as a serious event despite the lack of evidence of actual misuse of the data. The public-facing communication regarding the incident was subsequently updated on September 5, 2023, reflecting the ongoing nature of the monitoring and response efforts.