Cyber incidents are increasingly less confined to the boundaries of a single organization. The data breach at Nebu is a clear example of this. What began as a security incident at a relatively unknown software supplier quickly had a much broader impact. Not because it was technically so exceptional, but because the consequences became visible to organizations that serve millions of people daily.
Attention to the incident increased when organizations such as Nederlandse Spoorwegen and VodafoneZiggo, along with healthcare and pension organizations, had to inform their customers and participants about potentially leaked personal data. It was striking that these organizations themselves had not observed an attack. Their systems functioned as expected, yet the impact was still felt.
This is precisely what makes the Nebu incident recognizable to many executives and CISOs. The vulnerability was not in their own IT environment, but in a link further down the chain.
A Central Role, Largely Out of Sight
Nebu develops software for market research and customer satisfaction surveys. This software is used by market research agencies that conduct surveys on behalf of organizations among customers, travelers, insured parties, or participants. This involves processing personal data, such as names, email addresses, phone numbers, and additional data needed to analyze results.
For many end organizations, Nebu is not a party with whom direct contact exists. The relationship runs through the research agency executing the assignment. At the same time, this means that large amounts of data converge in one technical environment, without end organizations having daily insight into it.
This is not an exceptional situation. In many digital chains, there are suppliers who are functionally seen as supportive, but operationally hold a key position. The Nebu incident suddenly made that position visible.
How the Incident Unfolded
In the spring of 2023, it became clear that unauthorized parties had gained access to Nebu’s systems. Through this access, data stored by customers on the platform could be viewed or stolen. Because Nebu itself does not communicate directly with end-users, information provision occurred through multiple layers.
Market research agencies informed their clients, who in turn had to inform their customers and participants and reported the incidents to the Dutch Data Protection Authority. As a result, the full extent of the incident was not immediately clear, but the picture gradually emerged.
Ultimately, it appeared that personal data of an estimated 2.5 million people were involved, spread across approximately 190 organizations. For many of these organizations, the incident only became concrete when they themselves had to communicate and account for it.
The Consequences for Visible Organizations
For organizations such as NS and VodafoneZiggo, this meant they became the point of contact for customer questions and concerns, even though the technical cause lay outside their own systems. Nevertheless, the responsibility for communication, explanation, and internal assessment rested with them.
In public perception, that distinction makes little difference. Citizens and customers turn to the organization with whom they have a direct relationship. Where the incident technically originated plays a subordinate role in that context.
This tension between technical cause and social responsibility clearly emerged during this incident.
What Data Was Involved?
The data involved in the Nebu incident largely consisted of contact details and research data. There were no indications that passwords or financial information had been leaked. At the same time, this type of information can be relevant for targeted phishing or deception, especially when combined with other available datasets.
In addition to the direct data risk, something else became apparent: the limited overview beforehand. Many organizations did not have a complete picture of which software suppliers were part of their data processing and how these suppliers related to each other within the chain.
This made it difficult to assess in advance where vulnerabilities lay and what the potential impact would be if one link failed.
Legal and Organizational Aftermath
Following the incident, investigations by the Dutch Data Protection Authority ensued, and legal proceedings arose between parties in the chain. These concerned, among other things, information provision, liability, and contractual agreements. Market research agencies indicated that they had not always been informed in a timely or complete manner about the nature and extent of the data breach.
This phase of the incident largely took place out of sight of end-users but did influence cooperation and trust between the parties involved. It made it clear that handling a supply-chain incident extends beyond technical recovery measures.
A Recognizable Pattern in Digital Chains
The Nebu incident is often mentioned in discussions about supply-chain cyber risks precisely because it is so recognizable. Organizations are increasingly using specialized suppliers who operate in the background but play a central role in data processing and digital processes.
These dependencies often arise gradually and are not always explicitly considered critical. Only when an incident occurs does it become visible how intertwined the chain is and how many organizations can be affected simultaneously.
In this sense, the Nebu incident fits into a broader pattern also visible with cloud providers, software suppliers, and other service providers who occupy a similar position within digital ecosystems.
Visibility as a Starting Point
What this incident primarily shows is the importance of insight into how data and processes move through the chain. Not only with direct suppliers, but also with underlying software and platforms that play a role in execution.
By understanding these connections, more context emerges when an incident occurs. The Nebu incident thus makes visible how digital dependencies function in practice, precisely when they come under pressure.
