Another case of a third party vendor data breach exposing the information of multiple clients has taken place, this time in the Netherlands. Nebu, a piece of marketing software used by numerous Dutch market research firms for creating surveys and maintaining contact information, is the source of the issue.
As the data breach is focused on survey information, there appears to be at least a somewhat limited impact even though an estimated two million records have been lost. However, the surveys may pair sensitive demographic information with identifying contact information, and in at least one case appear to have included income information.
Market research firms lose collected survey information as vendor is breached
The lost data appears to have come from surveys sent out by the market research firms to follow up on purchases and things of that nature. In general that would mean basic contact information, but it could also include more sensitive demographic details such as race, sexuality, health status and religion. All-in-all, survey responses provide the core of the information profile that scammers and hackers seek to perform targeted phishing attacks and identity theft attempts.
It is hard to get a complete picture of what was lost in the data breach at this point, as a number of market research firms were impacted and each has its own variety of clients. Income information is not uncommonly a question on surveys, however, and it appears to have been included in at least one instance (a survey conducted on behalf of a pension fund).
Compounding the difficulty is that Nebu has yet to provide meaningful details about the incident. It is not known exactly how the company was breached, and only a small handful of market research firms that are potentially impacted have come forward to confirm personal data breaches.
Data breach impacts at least two million
The single market research firm that has experienced the largest data breach thus far is Blauw, which has contracts with both government agencies and some major private companies in the country. Over 780,000 respondents to a Netherlands national railway survey have apparently been exposed, along with another 700,000 customers of VodafoneZiggo and smaller amounts from a number of other Blauw clients.
The second biggest data breach to report in (as of yet) is USP. Also a market research firm, the company says that a total of 350,000 records of people living outside the Netherlands along with as many as 150,000 Netherlands residents have been leaked. USP says that most of these exposed records contained contact email addresses and telephone numbers.
The scope of the data breach may expand in the coming days as a number of other market research firms are known to use Nebu, but have not reported in yet (though at this point several have affirmed that they have seen no evidence of a breach).