Number of reports of cyber attacks has increased fivefold, according to regulator AP

The number of data leaks and successful cyber attacks on Dutch organizations has increased significantly compared to 2023. This is evident from the 'Data Leak Report 2024' that the Dutch Data Protection Authority published on Thursday morning.

Last year, 37,839 data breach reports were filed with the AP in the Netherlands, compared to 25,694 a year earlier. And while 1,309 reports of cyber attacks were filed in 2023, there were 6,837 in 2024.

These attacks are also hitting targets more often, the AP warns. At least 53 percent of ransomware attacks – in which cybercriminals hold sensitive data hostage with malicious software until a ransom is paid – involved theft of data, compared to 24 percent in 2023. There were at least 112 successful ransomware attacks in 2024. AP board member Katja Mur speaks of "a worrying trend."

One company

The vast majority of the total of 6,837 reported data leaks as a result of cybercrime came from one company: AddComm. The agency, which handles customer communications for over five thousand companies, was the victim of a ransomware attack that stole data from 1.5 million people. AddComm made a so-called bulk report for all companies involved. In total, five million people fell victim to a cyber attack in 2024, according to the AP.

After further investigation of a number of cyber attacks, the AP concluded that 30 percent of those companies had no or insufficient policy to prevent cybercrime. 40 percent did have policy but implemented it incorrectly. "For example, updates were not performed often enough or passwords were not changed and two-step verification was often missing," says Anne Bergen, senior data leak inspector at the AP.

"There is also sometimes human deception," says Bergen. For example, an employee can click on a phishing link in an email, which allows a hacker to gain unauthorized access to data. A cyber attack in which hackers gain access to, for example, an email account, online bank account or social media profile occurs most often, at 42 percent.

Bergen tells about a data breach notification that the AP received from a law firm. After investigation by the AP, it turned out that the mailbox contained copies of 32 passports that may have been viewed or stolen.

Identity fraud

The AP sees major risks for victims when their data is stolen. Criminals can use stolen personal data to commit identity fraud, for example. According to the Central Reporting Point for Identity Fraud, 7,000 citizens reported possible identity fraud last year.

The damage can also be great for companies, says Nienke Kolthof, data leak coordinator at the AP. "It can take a long time before the attacked system is working again, which causes a loss of productivity and turnover." A cyber attack costs an organization an average of €100,000 and most organizations lose €30,000, for example, hiring external specialists and possibly paying ransom. Not to mention possible reputational damage.