The data breach took place at supplier market research agency Blauw.
As a precaution, NS today informed travelers about a possible data breach found at one of their suppliers. At the market research agency Blauw they work with, a data breach has been found. Some of the personal data of travelers may have been leaked, such as name, email address and telephone number. NS emphasizes that this does not concern financial data or possibly passwords or data about companies and employees.
On March 24, Blauw received a written message that there was unauthorized access to the software supplier's network. On March 27, this supplier confirmed that data had actually been stolen. The affected research agency works for Ahold, Ziggo, Philips, Heineken, Fox Sports, Markplaats, KNVB, Baxter and Nissan, among others.
Unfortunately, as a market research agency, we were confronted with a data breach at a supplier of software that we use for research. Third parties may have had access to data that we collect and process for clients and data for our own satisfaction survey. This concerns data that is necessary to invite people to participate in the survey (names, email addresses and telephone numbers) and the answers given in the survey. We will do everything we can in the coming period to continue to inform our clients as well as possible.
On the day that the foundation that submitted claims for compensation took the Ministry of Health, Welfare and Sport (VWS) and 34 other authorities (including regional GGDs) to court because of a data breach at the GGD during the corona pandemic, NS warns its 780.000 customers that there are a data breach has occurred at their supplier market research agency Blauw. This agency regularly conducts investigations on behalf of NS. Travelers who were invited to one or more of these surveys may be affected by the data breach. NS regrets that data was leaked and has taken immediate measures to close the data leak and to prevent a recurrence. They have also reported this to the Dutch Data Protection Authority.
"We therefore ask you to be extra alert to so-called phishing messages, such as an e-mail or Whatsapp message. Phishing messages appear to come from acquaintances or companies, but are actually sent by people with malicious intentions."
The obligation to report data breaches means that organizations (both companies and governments) must immediately report this to the Dutch Data Protection Authority (AP) as soon as they have a serious data breach. And sometimes they also have to report the data breach to the data subjects (the people whose personal data has been leaked). At one datalek it concerns access to or destruction, alteration or release of personal data at an organization, without this being the intention of this organization.
Phishing
The purpose of a phishing message is to get more information from travelers or to get them to make payments. Personal information may be used in such a phishing message. That way the message is more credible.
In 2020, NS also had to deal with malicious parties who gained access to the accounts. The NS noticed that strangers were trying to log in to travelers' accounts. They probably wanted to see if they could log in to NS with usernames and passwords that had been stolen from other sites. Even then, the NS reported the break-in to the Dutch Data Protection Authority and reported the computer intrusion to the police.
ProRail
Now that it appears that a software supplier that provides services to market researchers such as Blauw has been broken into, ProRail may also have been affected by this. This concerns 4300 people who have had telephone contact with the Public Information department. Only their names, telephone numbers and gender may have been captured (so no (email) addresses, financial data, etc.). They are also advised to be extra alert to telephone scams.
Would you like to know more about phishing? The central government has a special website for this: www.safeinternets.nl.
