Leaseweb, one of the world's largest hosting companies, refuses to share an important security investigation with the Dutch Data Protection Authority (AP) after a cyber attack last August.

The Dutch Leaseweb reported a data breach to the AP, the government's privacy regulator, at the end of August. A few days earlier, Leaseweb informed its customers about a cyber attack. Key systems were disabled and the internet servers of “a small number” of customers went offline. In the following months, the supervisor repeatedly asked for more information about the incident, but did not receive important information.

Details about Leaseweb's refusal to provide full disclosure are now emerging because the AP subsequently turned to security company Northwave for information. Northwave assisted Leaseweb after the cyber attack and prepared an investigation report.

The privacy watchdog also balked at Northwave. Last week, a judge canceled a penalty that the regulator had imposed on the security company when it also refused to provide information about the incident. The Central Netherlands District Court registers the verdict published this week that the Dutch Data Protection Authority must first increase the pressure on Leaseweb before forcibly requesting documents from third parties.

Leaseweb's rigid attitude is surprising to the Dutch Data Protection Authority. “If such an organization continues to structurally refuse to share information, we as a supervisor must do something about it,” says a spokesperson. “The impact of a data breach at a party like Leaseweb is potentially significant due to the size of the company alone.”

Large hosting providers such as Leaseweb are interesting targets for hacks. The company, with a turnover of 160 million euros in 2021, manages 25 data centers on four continents and rents internet space to around 20,000 customers worldwide. This is a good position for hackers to quickly gain more information about or access to other systems; it is like a housing association that has access to countless houses and apartments with a master key.

Despite repeated requests for information, Leaseweb has not responded to questions from NRC. Details about the impact of the August hack remain scarce. In a brief statement on August 25 published by international tech blogs, the company reported “unusual activity within certain areas of our cloud environments.” According to Leaseweb, “quick and decisive steps” were then taken to limit “potential risks”. The portal where customers manage their purchased hosting packages was offline for several hours.

Leaseweb also immediately announced that it had hired “a renowned cybersecurity company” to conduct an investigation. “We successfully contained the incident, enhanced our security measures and no longer encountered any unauthorized activity,” the statement concluded. “The investigation is still ongoing.”

That renowned security company was Northwave, a Dutch company that, among others incident response offers. In major digital crises, specialized hackers from cybersecurity companies take action. After a cyber attack, they start, often on site, with the recovery and cleaning of the network – during ransomware attacks, the entire digital infrastructure of an organization often has to be rebuilt. They are also collecting forensic data and investigating the causes of the hack.

Security companies then write a detailed technical research report so that it is clear which vulnerabilities hackers exploited to gain access to the systems and how such an attack can be prevented in the future. Such reports rarely come into the public and when they do come out, they often contain extremely painful matters. For example, the hack at Maastricht University was caused by a phishing attack that was not handled properly and in the municipality of Hof van Twente it turned out that someone had changed an important password to the weak 'Welcome2020'.

Northwave itself does not deny or confirm that it assisted Leaseweb. However, in the ruling in the case between AP and Northwave, the court writes about “a large hosting provider” that reported a data breach on August 25. A source close to Leaseweb confirms NRC that the lawsuit revolves around the investigation report into the incident at Leaseweb.

Soon after reporting the data breach, the Dutch Data Protection Authority announced that it wanted to read Northwave's report as soon as it was completed. However, Leaseweb does not want to submit the full report and, according to the court, only sends a letter from Northwave and “an appendix” to the supervisor. Threats from the AP with a visit to the head office or an order subject to penalty subsequently have no effect: Leaseweb states that the letter contains the complete investigation report and thus the “obligation to cooperate” has been met.

This spring, the AP will turn to Northwave to obtain the report on the incident. If the security company refuses for reasons of principle, it will be imposed a penalty. Northwave director Steven Dondorp reacts furiously and believes that the AP is taking an improper shortcut. According to him, cybersecurity companies must be able to work in confidence. He says: “We also think the order is wrong: the AP must first exercise all its power and coercion on customers. They are responsible. In this case, the AP immediately imposed a penalty on us, while they did not even try to do so with the customer.”

Industry association Cyberveilig Nederland (CVNL), of which Dondorp is chairman, shares Northwave's position (Dondorp says he has abstained from discussions). In a letter sent to the AP, obtained by NRCCVNL writes that it is “surprised and shocked” about the penalty imposed on its industry colleague.

CVNL director Petra Oldengarm: “If you, as a supervisor, enjoy shopping around in reports from… incident responders this puts pressure on the relationship with their customers. Whether it is a large or small incident: our members must help their customers properly, without being breathing down their necks by the supervisor.”

Dondorp and Oldengarm both underline the importance of transparency and the regulator's right to information. Oldengarm: “We believe that the Dutch Data Protection Authority should be fully informed at all times. However, the AP must be at the correct counter. The customers of our members have that responsibility, the security companies themselves do not.”

Not well explained

For the same reason, the Central Netherlands court ruled in favor of Northwave on March 26. The Dutch Data Protection Authority must first contact Leaseweb to obtain the investigation report, the judge says. The court finds it “not well explainable” that Leaseweb has not yet been imposed an order subject to a penalty.

“We have not lost sight of Leaseweb,” responds a spokesperson for the AP. “What played a role in our decision to impose a penalty on Northwave was speed. Our priority is getting access to information.”

“It is commendable that Leaseweb made a report in August,” the spokesperson continues. “But after such a report we sometimes request more information. If we do this repeatedly, but do not receive any information, a company should not be surprised that we think that information is being withheld. It may be that something is hidden, but that is not necessary. It just makes us more curious.”