Cybercriminals have attacked one of our suppliers with ransomware. This supplier provides the automated sending of tax assessments and reminders for a number of tax offices and a large number of companies. They may thereby also have stolen data about individuals and companies in our area. The question of whether that is the case, and if so which ones, is currently being investigated.
What is a ransomware attack?
In a ransomware attack, criminals encrypt files. This prevents a company from accessing those files. The criminals often demand money to restore access to the files. In the attack on our supplier, the encrypted data has not yet been sold or made public.
Can you still safely manage your affairs digitally with the RBG?
You certainly can. Our systems have not been hacked. You can manage your tax affairs in our secure environment My RBG.
What does our supplier do?
Our supplier sends our tax assessments and other letters. They do this by post and digitally. The RBG provides data for this purpose via a secure connection. More information about the attack can be found on our supplier’s website. This also explains what they are doing to limit the damage. And how they are restarting their services securely.
What data does the RBG provide?
This consists of name, address, place of residence, citizen service number (BSN), bank account number, a number of e-mail addresses and ownership details of residential and commercial properties.
What data was stolen?
We don not know that yet. Our supplier is investigating which data was stolen. They are being assisted in this by a company that specialises in cybersecurity. Our supplier works for some 60 companies and government agencies.
What has the RBG done so far?
- We are in constant contact with our supplier. Much remains unclear
- We have severed all digital connections with our supplier
- We have examined our own tax system. This showed that the cybercriminals did not penetrate our tax system
- We have informed all relevant organisations. And the municipal councils and water boards that we work for, of course
- We have made a preliminary notification of a possible data breach to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
What can you do?
It is important to always pay attention to the following.
- Do not open e-mails from unknown senders.
- Do not click on links in e-mails from unknown senders
- Never open attachments in e-mails from people you do not know.
- Do not share personal information with people you do not know via e-mail, text or phone.
- Make sure the message really has come from that sender.
- Pay particular attention to messages that appear to come from your bank. If you are unsure, check with your bank whether the message is genuine.
You can find more information on our page phishing/nepmail.
What next?
We are in constant contact with our supplier. As soon as we know what data is involved, we will let you know on our website. However, the investigation may take some time.
Where to ask your questions?
We believe that protecting your data is very important. We therefore make every effort to protect your data. We had also made agreements with our supplier about proper security. And these are also checked. Unfortunately, cybercriminals are always finding new ways to penetrate well-secured systems. This is very annoying for everyone affected by it. We understand that you may be worried. You can call us about this if you want to. We are available on weekdays from 9:00 to 17:00 on 088 291 10 00. You can also send us a message using our contact form.