Cyber Incident Victim: Waterbedrijf Groningen
Date:
May 2024
Location:
Netherlands
Summary
Waterbedrijf Groningen experienced a potential compromise of customer data following a cyberattack on its supplier, AddComm, which handles billing communications for the water company and other entities. The attackers initially held data hostage in a ransomware attempt, but while this "gijzeling" was later thwarted, customer information may have been stolen—though not yet published or sold. The water company has preliminarily notified the Dutch data protection authority and awaits confirmation from AddComm regarding the scope of impacted data. Customers were alerted to heightened phishing risks due to the potential exposure of personal information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 17, 2024, Waterbedrijf Groningen notified customers that their personal data may have been compromised following a cyberattack targeting AddComm, a third-party supplier responsible for distributing water tax invoices and customer communications. The attack involved criminals hijacking AddComm's systems and holding data hostage in an apparent ransomware attempt, though the data's "gijzeling" (hostage situation) was reportedly terminated by the morning of May 17. AddComm, which processes data for multiple water authorities, municipalities, and commercial clients, possesses extensive personal and business information, making it a high-value target. While the immediate ransomware threat was neutralized, Waterbedrijf Groningen acknowledged the possibility that customer data—including names, addresses, and billing details—had been exfiltrated during the breach. The water company emphasized it had not yet confirmed whether its specific customer datasets were accessed or stolen, pending AddComm's forensic investigation. As a precautionary measure, Waterbedrijf Groningen filed a provisional breach notification with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and initiated customer alerts about heightened phishing risks stemming from the incident.
The breach's operational impact centered on AddComm's compromised infrastructure, which handles both physical and digital billing distribution for Waterbedrijf Groningen. No direct intrusion into the water utility's own systems was reported. Potential consequences for customers included exposure to targeted phishing campaigns, fraudulent payment requests, and identity theft attempts leveraging stolen billing information. Waterbedrijf Groningen advised customers to scrutinize all electronic communications, discard suspicious emails from unknown senders, avoid clicking links or attachments in unsolicited messages, and verify any unusual requests for personal information by contacting their official customer service line. The company reiterated that legitimate communications from its organization would never solicit sensitive data via email, SMS, or unsolicited calls. As of the notification date, no evidence indicated that stolen data had been published or sold on illicit platforms. Waterbedrijf Groningen maintained ongoing coordination with AddComm to determine the breach's scope and committed to updating affected parties once forensic findings confirmed the status of their data.