In recent weeks, the Dutch Data Protection Authority (AP) has received 75 reports of data leaks at organizations that use Microsoft Exchange Server to receive and send e-mail. The National Cyber Security Center (NCSC) reported that at least 1,200 Dutch servers running Microsoft Exchange have been infected. The AP therefore fears that there are many more problems than just the 75 data breach reports received. The AP urges organizations to check their systems.
Aleid Wolfsen, chairman of the AP: ‘Many organizations worldwide have been affected, including in the Netherlands. We see from the incoming reports that criminals have often been able to view, copy and send all e-mail communications and address lists to an external address for further abuse. ‘
‘Because we have received 75 reports so far, we fear that many other burglaries have not yet been detected. We therefore expect even more data breach reports and a wave of ransomware cases, ‘says Wolfsen.
Attackers could access email accounts, steal data and install their own software through vulnerabilities in Microsoft’s software.
Wolfsen: ‘Once criminals have entered, they often go about their business for a while within the system of such an organization. By installing ransomware software, they keep the organization in their grip, even after the leak has been closed. ‘
‘This allows them, for example, to shut down the server, so that the company can no longer function. To make the loot even bigger, they often try to extort the company with this ransomware software. ‘
The AP calls on organizations to check their systems for possible attacks. And to always be on the lookout for suspicious movements within their network.
Organizations are legally obliged to close a data breach as soon as possible and to report the leak to the AP within 72 hours. They also usually have to inform the people concerned about the data breach. So that they can also take action themselves to limit the damage. For example by blocking their credit card.
Wolfsen: ‘Data theft has increased by 30% last year. It is very worrying that personal data is increasingly the target of criminals. Because the theft of personal – and often sensitive – information can cause a lot of damage to people. For example, if criminals use the stolen personal data for identity fraud or fraud. ‘
Report data breach in time
Organizations with a data breach must report this to the AP via the data breach reporting desk . The AP has noticed that organizations do not report all data leaks that they should report. This becomes clear, for example, when victims leave a complaint or tip with the AP.
Wolfsen: ‘This is very serious. Because if people do not know that their data may be in the possession of criminals, they cannot take measures. Such as changing their password or blocking their credit card. The damage can then be considerable. ‘
The AP is currently conducting 9 investigations into data leaks that were not reported or were not reported on time. Organizations that do not report a data breach to the AP (in time) are in violation and can be fined.