The Dutch privacy authority (AP) signalled growing numbers in its data breach report of 2021. Attacks on IT suppliers are increasingly impacting the supply chain.

The data breach report for 2021 shows that 24,866 breaches were reported in the Netherlands last year. According to the AP, organizations feel increasingly obligated to report attacks, which caused the number to rise from last year.

2,210 of the breaches were caused by a cyberattack, up 88 percent from 2020. Strikingly, most of the attacks were caused by misdelivered letters and postal packages, which paved the way for phishing and ransomware.

Attacks on IT companies

The privacy authority further notes that IT suppliers are being attacked more frequently. These attacks often have a major impact on the supply chain. In 2021, 28 IT suppliers were attacked. Together, the attacks led to 1,800 data breach notifications to the AP. At least 7 million people were affected. Not all data breaches are reported to the AP, meaning there are probably many more.

Little investigation

In principle, the AP must investigate every notification of a data breach. In practice, this rarely happens. The supervisor initiated a total of 36 official investigations into data breaches, mainly involving IT suppliers. The investigations were carried out without the companies having reported the incidents themselves.

The supervisor only investigates if there are stones left unturned. For example, if a letter or e-mail was forwarded to the wrong address, the cause is clear. Companies are expected to investigate themselves. External investigations hardly ever take place.