For example, the IT supplier of a midwifery practice had to deal with a digital hostage situation. In addition, the patient files had been copied by criminals. The IT supplier had to pay a ransom or the patient data would be published.
Seven million people
The AP believes that those patients should be informed in such a case. After all, it concerns their personal and sometimes also medical data. But that doesn’t always happen.
Last year, 28 incidents at IT suppliers came to light at the regulator. The AP estimates that the private information of seven million people was leaked as a result. But probably only a few hundred thousand people have been informed, Dennis Davrados of the privacy watchdog told RTL Nieuws.
The regulator considers it important that people are informed, because then victims can protect themselves. For example, by changing their password, or being alert to fake emails coming from a hacked company.
Many companies as customers
IT companies often have many other companies as customers. Those organizations are therefore attractive to cyber criminals. Because by threatening to disclose private information of their customers, the criminals can demand more money.
“For example, multiple midwifery practices use a software package from one IT vendor,” Davrados says. “If there is an attack on the IT company, a lot of obstetric practices are affected. So many people are affected.”
The AP may launch an in-depth investigation if many people are at risk. In 2021, the regulator launched 36 major investigations; fourteen of these were about IT companies. If it turns out that they have violated the privacy law, they can be fined, among other things.
Affected IT suppliers often inform their customers about a data breach too slowly or incompletely, the AP also notes. For example, the supplier withholds things for fear of reputational damage. This makes it more difficult to warn people whose data has (possibly) been stolen. Often it is not the IT supplier, but the customer of that company that is responsible for this.
Companies are obliged to report a data breach to the regulator if there are major risks for victims. In total, the regulator receives about 25,000 reports of data breaches per year. The 28 incidents at IT companies together accounted for 1800 reports.
