Cyber Incident Victim: Portaal
Date:
May 2024
Location:
Netherlands
Summary
A supplier handling digital communications for Portaal suffered a data breach, potentially exposing residents' personal information including names, addresses, email addresses, phone numbers, and bank account details, though no passwords or sensitive data were compromised. Following an investigation, the supplier confirmed no resident data was stolen or accessed. The organization reported the incident to the relevant data protection authority and temporarily paused rent-related email communications before resuming operations. Residents were cautioned about potential phishing attempts mimicking legitimate communications, with reminders that official contacts would never request passwords or bank details and would use verified domains.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 17, 2024, Portaal, a Dutch housing association, disclosed a data breach originating from one of its suppliers responsible for transmitting digital communications on its behalf. The supplier notified Portaal that it had fallen victim to an incident potentially exposing tenant personal data, though the full scope remained under investigation at the time of initial reporting. Portaal immediately filed a notification with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and awaited the supplier’s forensic findings to determine whether tenant information—including names, addresses, email addresses, telephone numbers, and bank account numbers—had been exfiltrated. The organization clarified that no passwords or other sensitive authentication credentials were compromised. Portaal committed to directly notifying affected individuals upon confirmation of data exposure but preemptively warned tenants to scrutinize communications purporting to originate from Portaal, citing risks of phishing or social engineering attacks leveraging potentially leaked data. Operational disruptions occurred, with Portaal unable to send routine rent-related emails until partial service restoration on May 23.
By May 28, 2024, Portaal confirmed the supplier’s investigation concluded no tenant data had been accessed or stolen during the breach. This final update resolved initial concerns about data exposure but reinforced existing warnings about fraudulent communications impersonating Portaal. The organization reiterated its communication protocols: legitimate Portaal emails use @portaal.nl domains, and staff never request passwords, PINs, or bank details via phone, email, or messaging platforms. Tenants were advised to report suspicious contacts to a dedicated verification email ([email protected]) or phone line (088 - 767 82 25). No additional technical details regarding the breach’s cause, attacker identity, or the supplier’s remediation steps were disclosed. Portaal’s public communications focused exclusively on tenant guidance and incident status updates without elaborating on internal or supplier-side containment measures beyond the confirmation of restored email functionality and the absence of data compromise.