Software supplier Nebu from Wormerveer must provide more information to one of its clients, market researcher Blauw from Rotterdam, about a data leak. This has been decided by the Rotterdam court in preliminary relief proceedings brought by Blauw.

The reason for the lawsuit was a break-in last month in Nebu’s computer systems. As a result, the personal data of possibly several million Dutch people have been exposed. Blauw wants more information about exactly what happened, how big the data leak is and what the consequences are.

According to Blauw, the information that Nebu has provided so far is completely insufficient. The court shares that view. 'In the agreement between both parties, Nebu is obliged to inform Blauw about incidents related to the processing of personal data and to follow Blauw's instructions in such a case. In the provisional opinion of the preliminary relief judge, Blauw's right of instruction and Nebu's obligation to comply with it must be interpreted broadly'.

Forensic investigation

Nebu also has to provide Blue with ‘extensive information about the data leak and answer questions’ from the preliminary relief judge. In addition, Nebu must have an independent forensic investigation carried out into the data breach.

On March 10, the cybercriminals broke into Nebu. That was discovered more than a day later. In the meantime, the hackers had stolen information from the market researchers. The Dutch Data Protection Authority (AP) has announced that 139 organizations in the Netherlands may be the victims of this data leak. Nebu makes the software that market researchers use to gauge what their customers think for companies. Blauw does this for NS, Vodafone, Ziggo, CZ, Friends of Amstel Live, ArboNed and Trevvel, among others.

