Data Breach Joris Zorg

On Thursday, April 20, Joris Zorg Group reported a data breach. The Joris Zorg Group has 500 employees, 320 volunteers and 720 clients. 

The data leak was caused by a data theft by the hacking group Bitlock. They threatened to make the stolen data public if they were not paid.

Joris Zorg has indicated that they do not want to negotiate with criminals. The data was then published by the hack group on the Dark Web.

SOMI is handling the case.

We have been able to recover part of the stolen files that have now been published on the Dark Web. We cannot discuss about this in detail, but it seems that the following data, among others, have been published: 

- Reviews and private addresses of employees

- Correspondence between the care institution and relatives about the clients - Terminality statements from clients

- Treatment reports and records of medication

This covers a period from 2019 to now.

As far as we have been able to confirm, the Joris Group has taken a position that it will not negotiate. If this is the case, then in principle it has not taken into account the interests of victims whose data have now been published (with all the consequences that entails). 

SOMI intends to submit a complaint about this to the Dutch Data Protection Authority on behalf of the victims. We believe it is important for the regulator to investigate this.

If you are an employee or a family member of a client of the Zorg Group, we urge you to contact us. You can do this by sending an e-mail to: info@somi.nl. Your response will be treated confidentially.

SOMI represents more than 75,000 Dutch people in protecting privacy and maintaining data autonomy. Sign up if you want to be informed about our progress on this matter.

Updates

Upcoming: TikTok oral hearing on June 28th, 2023

As TikTok has submitted the statement on admissibility of plaintiffs, applicable law and designation of exclusive representative on February 22nd, the date for the next oral hearing has been determined to be on Wednesday, June 28th at the District Court of Amsterdam. Click here for more information.

Potential largest data breach in the Netherlands

On 10 March 2023, a malicious actor broke into the systems of Nebu, a software supplier for market research. This breach concerns consumer data from a number of Dutch market research companies that use Nebu's software, and it appears to include the personal data from about two million Netherlands residents.

In total, 139 organizations has reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) that their customer data has been involved in this breach. The data breach seems to mostly consist of contact information such as name and email addresses, but also includes some income data, and in small number of cases it is possible that more sensitive personal information was included as well.

One of Nebu's client, Blauw, a qualitative market research firm, filed lawsuit against Nebu for inadequate information provision about this data breach. Blauw has some major clients including NS, VodafoneZiggo, CZ, Trevvel, and many more. According to Blauw, it takes 2 weeks for Nebu to report the data breach and, since then, Nebu is difficult to reach and hardly provides any information about the breach.

On April 6th, the court of Rotterdam ordered Nebu to provide information about the data breach to Blauw. Since Nebu has failed to indicate whether the data from (the clients of) Blauw has been stolen or not, the judge also ordered Nebu to conduct independent forensic investigation into the incident (source: privacy-web.nl). 

This data breach increases the risk of phishing attacks and other scams. Malicious actors can use the stolen contact data to lure the victims into providing access to their accounts or worst, to make bank transaction. Therefore, it is very important for the victims to be notified about the breach in order for them to take action, such as changing their password, as soon as possible.

The fact that it takes Nebu over 2 weeks to report the breach left the victims exposed for too long. SOMI is currently investigating this case and we are determined to find out whether this breach has caused any damages to the people in the Netherlands. There might be a possibility for SOMI to initiate a claim on this incident.

In the news

Menno Weij on BNR over the verdict between Nebu and Blauw

Menno Weij, a member of the supervisory board of SOMI, appeared on BNR with Liesbeth Staats and Kees Dorresteijn on April 6th to discuss the Rotterdam court's verdict on the case between Blauw and Nebu data breach.