Cyber Incident Victim: Coen Hagedoorn Bouwgroep
Date:
Jun 2023
Location:
Netherlands
Summary
Coen Hagedoorn Bouwgroep, a maintenance contractor for housing corporations, suffered a ransomware attack that led to unauthorized access to its systems. The incident potentially compromised the confidentiality of managed data, including a customer database containing tenant names, phone numbers, and email addresses. While the company initially stated the chance of a data leak was very small, it could not guarantee it and reported the incident to the data protection authority. Attackers subsequently used the stolen information to send out emails.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 15, 2023, the Coen Hagedoorn Bouwgroep, a contractor that performs maintenance work for housing corporations, fell victim to a ransomware attack. The attack resulted in unauthorized access to the company's computer systems. The attackers gained access to these systems, though the specific method of initial access was not publicly disclosed by the company. The incident had potential consequences for the confidentiality of the data managed by the contractor, which included its customer database containing the personal information of tenants from its housing corporation clients.
Following the attack, the company took immediate action to stop the data breach and prevent further access to tenant data. Coen Hagedoorn Bouwgroep initiated an investigation into the incident to determine the full scope and impact. Initial communications from the company to its partners indicated a degree of uncertainty regarding whether tenant data had actually been exfiltrated. One housing corporation, Woonpartners Midden-Holland, reported at the end of June that, based on information from Coen Hagedoorn, the investigation had found no data leak had occurred and no suspicious activities were detected. The contractor stated that all systems were operational again and had been checked.
However, subsequent findings led to a revised assessment of the situation. In a later message sent directly to affected tenants, Coen Hagedoorn Bouwgroep stated it could no longer rule out the possibility that data was indeed stolen during the ransomware attack. The company informed tenants that while the chance their data was leaked was very small, it could not guarantee this with 100 percent certainty. The types of personal data potentially involved in the breach were identified as name, telephone number, and email address.
The ransomware attack encrypted files on the company's systems. According to guidance from the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), the encryption of files containing personal data constitutes a data breach. The AP's position is that for ransomware to encrypt files, an attacker must first have gained access to and opened those files. This access means the criminal could have viewed, copied, stolen, or manipulated the data within those files. The AP further clarifies that organizations unable to establish with certainty that data was not stolen should not assume it was not. A lack of proof that data was copied is not the same as proof that it was not copied.
In response to the incident, Coen Hagedoorn Bouwgroep formally reported the cyberattack to the Autoriteit Persoonsgegevens as a potential data breach. The company also directly notified the affected tenants about the event and the potential compromise of their personal information. Housing corporations that were clients of Coen Hagedoorn, including Vestia and WoonInvest, also informed their tenants about the attack on their contractor. These corporations relayed the warning from Coen Hagedoorn that the attackers were potentially using the stolen data to send emails.
The primary impact warned of was an increased risk of phishing attempts. Tenants were advised to be alert regarding emails received in the name of Coen Hagedoorn Bouwgroep. These emails were described as potentially looking normal but were cautioned against as they might contain phishing attempts or other malicious activities. The housing corporation WoonInvest also reported the potential data leak of tenant data to the AP on behalf of the affected individuals.
The incident underscores the cascading risks within a supply chain, where a cyberattack on a single service provider can potentially compromise the personal data of clients' customers. The response involved immediate containment by the contractor, investigation, notification to the data protection authority, and communication to the data subjects. The full extent of the data exfiltration was not conclusively determined and publicly disclosed at the time of the reporting, leading to a precautionary notification based on the risk that data was accessed. The compromise involved basic contact details, which, while not highly sensitive, can be leveraged for social engineering and phishing campaigns, as indicated by the warnings issued to tenants.