Cyber Incident Victim: Staedion

On May 17, 2024, Dutch housing corporation Staedion disclosed a data breach involving its third-party supplier AddComm, which provides digital communication services for tenant interactions. The incident involved unauthorized access to Staedion tenant personal data processed by AddComm, though the specific types of compromised data remained undetermined at the time of disclosure. Staedion confirmed no passwords were exposed in the breach. AddComm initiated an investigation to determine whether data theft occurred and to identify the exact scope of affected records. Staedion filed a mandatory breach notification with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) following discovery of the incident. The organization committed to notifying affected tenants promptly upon receiving confirmation from AddComm regarding whose data was involved and which data elements were accessed.

Staedion issued warnings to tenants about heightened phishing risks stemming from the breach, advising vigilance against unsolicited communications via email, SMS, WhatsApp, phone calls, or physical mail impersonating Staedion. The alert specified that legitimate Staedion emails exclusively use domains @staedion.nl or @nieuwsbrief.staedion.nl and emphasized that the organization never requests banking details, PINs, or passwords through any channel. Tenants were instructed to report suspicious communications to [email protected] or via a dedicated phone line and to terminate calls if asked for sensitive information. The supplier investigation remained ongoing with no public timeline for resolution, leaving the full impact on tenants undefined beyond the confirmed absence of credential exposure.