Dutch railway NS warns 780,000 customers about data breach

The Dutch national railway, NS, has warned about 780,000 customers that their personal data may be involved in a data breach.The train operator works closely with market research firm Blauw. External parties gained access to personal data at via a software supplier for that company. For example, e-mail addresses, telephone numbers or names of train passengers who participated in a satisfaction survey may have been leaked.

"Depending on the study in which the customer participated, this may concern personal data such as name, e-mail address and telephone number. It does not concern financial data or passwords," the NS said.

The railway company asked customers to pay extra attention to possible signs of phishing, a type of scam where criminals pose as someone else in emails and direct messages to steal passwords or other sensitive information. One method employed by phishing scammers includes sending an e-mail on behalf of a company.

NS gave the data that may have leaked out to market researcher Blauw, who could then use it to send invitations to people to participate in a survey. A spokesperson for the NS said it has not yet been established with certainty that this information has publicly leaked out, but the odds are so strong in favor of that having happened that the company felt the warning was necessary.

The data breach may also affect more companies. A spokesperson for Blauw said that persons from outside their company may have been able to access the data of fourteen clients, but the research agency was not willing to provide their names. The number of people whose data those companies supplied to Blauw varies from "hundreds of thousands, namely at the NS, to several hundred at the smaller clients."

Blauw received a message last Friday that an unauthorized person had access to the software supplier's network. On Monday, this supplier confirmed that data had actually been stolen. The company is still investigating exactly what data was either stolen or viewed by unauthorized persons. Access to the personal data has now been closed, said the spokesperson for Blauw. He would not reveal the name of the software supplier.

NS and Blauw have both reported the incident to the Dutch Data Protection Authority. The organization has seen the number of data leaks as a result of cyber attacks rise sharply in recent times. In 2021, the year with the most recent figures, there were about 88 percent more incidents of this kind than a year earlier. A spokesperson explained that, in principle, the companies that collect personal data also remain responsible for the protection of that data.