The number of companies and people affected by a massive data hack linked to market research software continued to grow on Friday, to include the Postcode Lottery, engineering pension fund PME and a string of housing corporations.

At the same time, Nebu, the Wormerveer-based software firm thought to be at the centre of the scandal has removed its contact details from the website and its Canadian owner Enghouse, which is listed on the Toronto stock exchange, is not answering questions about the leak.

Exactly how many people have been affected remains unclear. However, the total is likely to exceed two million, including 780,000 NS clients, 700,000 people who follow the Vrienden van Amstel Live concert series and 700,000 clients of telco VodafoneZiggo.

Pension fund PME told pensions news website IPE.com that the data leaked included the family names, age and gender of 95,000 participants, as well as phone numbers of thousands of them. Health care provider CZ, the Dutch golf federation, health and safety body ArboNed, transport company Trevvel, and the Netherlands enterprise agency RVO have also been affected.

Privacy watchdog Autoriteit Persoonsgegevens has started an investigation into the leak but said it had yet to put together a complete picture of what happened. The agency said in particular it wants to know what was in the contracts between the various companies involved about protecting private information.

Nebu works closely with Blauw Research and its chief executive Jos Vink told NOS ‘alarm bells started to ring’ two weeks ago when a technical problem at Nebu turned out to be a cyber attack. Nebu then ‘refused to cooperate in any way’ when Vink contacted them to find out how long the hackers had been active and what data had been stolen.

Companies wanting to know how clients feel about their services turn to market researchers such as Blauw who then use Nebu software to carry out the survey, including questions of a personal nature.

‘This incident shows that one weak link at a provider can have major implications for the security of the whole digital chain,’ Dave Maasland of security firm ESET Nederland told the broadcaster.

Money

Maasland said the hack is aimed at conning people out of their money in a way that seems plausible.

‘If you have just participated in a survey about client satisfaction and it says “click here for your thank you gift voucher” it would be very difficult not to,’ he said. Maasland said people should look out for e-mails that demand immediate action. ‘That is the main giveaway,’ he said.

Nebu was founded in the Netherlands in 1992 and has outlets in the UK and Hungary as well as the Netherlands. It also, according to the website, has partnerships with agents in Sweden, Germany, USA, and Australia.

It was taken over by Canada’s Enghouse in June 2021, according to a company press release.

Dutch News has contacted Nebu for comment in the Netherlands and Enghouse in Canada.