Dutch National Railway data breach impacts 780,000 customers

The Dutch National Railway, known by the initials NS, started notifying 780,000 passengers on March 28 of a data breach exposing their personally identifiable information.

How it all began

According to the Dutch train operator, the breach originated via a software supplier of market research firm Blauw, the agency conducting customer satisfaction surveys for NS.

Although the exact circumstances of the cyberattack and data leak have yet to be identified, Blauw’s security notification may shed light on the potential data stolen from its software supplier.

The compromised data could include information provided by individuals who performed online customer satisfaction surveys, and that may consist of names and contact information such as email addresses and phone numbers, among others. No passwords or financial information was accessed or compromised.

“Unfortunately, as a market research agency, we have been confronted with a data breach,” Blauw’s data breach notice reads. “The breach occurred at Nebu B.V., a software supplier that we use for research. Third parties may have gained access to data that we collect and process for clients and for our own satisfaction surveys. This includes data necessary in order to invite people to participate in the research (names, email addresses, and phone numbers) and the answers given in the research.”

“We do not yet know exactly what has been stolen,” Blauw added. “At the moment, the investigation is ongoing to determine which data may have been viewed or stolen by unauthorized parties.

More data leaks to come

The data breach at software supplier Nebu also affected attendants of the De Vrienden van Amstel audiovisual festival who participated in customer satisfaction surveys on behalf of Heineken.

According to the NL Times, the data of 22,000 individuals who took the Vrienden van Amstel Live satisfactory survey was also stolen in the hack. The brewing company said it has already informed festival-goers and the Dutch Data Protection Authority of the breach.

According to Heineken, potentially stolen data includes gender, age, educational background, province and e-mail address of survey participants.

What can victims do?

Leaked information suggests cybercriminals may conduct targeted phishing attacks against survey participants. Threat actors could potentially use leaked phone numbers and email addresses to contact individuals and trick them into revealing sensitive data including passwords and credit card numbers.

Individuals notified of the breach should expect more unsolicited correspondence and watch messages closely for red flags such as:

• Notifications regarding suspicious account activity
• Emails or messages announcing you’ve won gift vouchers for completing the online survey
• Phone calls from NS or Heineken asking you to provide personal data, passwords or any other form of credentials

Check now whether your personal info has been stolen or made public on the internet, with Bitdefender’s Digital Identity Protection. The dedicated identity protection service helps you stay on top of data breaches and privacy threats, with 24/7 monitoring and instant alerts whenever your personal information is at risk.