Cyber Incident Victim: Nebu
Date:
Feb 2023
Location:
Netherlands
Summary
A cyberattack targeting Nebu, a software supplier used by multiple Dutch marketing agencies, resulted in a significant data breach potentially affecting millions of individuals. Compromised personal data included names, email addresses, telephone numbers, genders, and in some cases income details from organizations such as NS, VodafoneZiggo, the National Postcode Lottery, ProRail, RVO, PME pension fund, and several housing corporations. The attackers exfiltrated information from surveys and customer interactions stored on Nebu's systems, though the full scope remains unclear due to terabytes of exposed data. Following the breach, Nebu removed contact details from its website, impeding communication with affected agencies, which initiated legal proceedings to compel disclosure of stolen data specifics. Multiple entities reported the incident to Dutch data protection authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 31, 2023, Dutch media reported a significant data breach involving Nebu, a Hungarian software supplier with a Dutch branch in Wormerveer, North Holland. The incident occurred approximately two weeks prior when cybercriminals compromised Nebu's systems, gaining unauthorized access to personal data collected through customer surveys administered by multiple Dutch marketing agencies. Nebu's clients included prominent market research firms Blauw and USP, which conducted surveys for major Dutch organizations such as NS (Dutch Railways), VodafoneZiggo, the National Postcode Lottery, ProRail, the Netherlands Enterprise Agency (RVO), and the PME pension fund. The attackers exfiltrated personal information including names, telephone numbers, email addresses, genders, and in some cases income data from pension accruals. Initial estimates suggested millions of Dutch citizens were affected, with NS reporting 780,000 compromised records and VodafoneZiggo confirming 700,000 impacted customers.
Nebu confirmed data transfer occurred but provided no specifics on the scope, leaving affected organizations unable to determine exact exposure levels. Blauw disclosed that its servers stored terabytes of survey data through Nebu's platform, though experts speculated attackers likely prioritized high-value information rather than downloading entire datasets. The breach's impact expanded as additional victims emerged, including housing corporations Stadgenoot, Haag Wonen, and Vivare, alongside healthcare provider CZ and transport company Trevvel. Nebu's parent company, Canadian-based Enghouse Systems, did not respond to inquiries. Following the breach, Nebu removed all contact details from its website, including its Dutch telephone number, severely hampering communication. This lack of transparency prompted Blauw to initiate summary proceedings—a historic legal action against a software supplier in the Netherlands—demanding disclosure of breached data specifics and security failure details. Multiple organizations reported the incident to the Dutch Data Protection Authority (AP) and notified affected individuals about potential phishing risks. As of March 31, Nebu had not provided required breach documentation, leaving agencies unable to fulfill regulatory obligations or determine future collaboration with the supplier.