On October 22, 2024, the Dutch data protection authority (AP) announced the publication of its 2023 report on ransomware. In particular, the AP highlighted that there were more ransomware attacks in the Netherlands than were previously known, and that there were at least 178 successful ransomware attacks in 2023.

Accordingly, the AP recommended four approaches for organizations, including:

• adopting multi-factor authentication (MFA);
• ensuring a good password policy;
• performing updates on time, especially regarding known vulnerabilities; and
• ensuring sufficient network segmentation.

The AP stated that 90 of the 178 affected organizations cooperated in further investigations. Concerning the consequences of ransomware attacks, the AP noted that:

• in approximately 50% of the attacks, cybercriminals encrypted systems and stole personal data;
• approximately 9% of organizations paid the ransom;
• in 52% of cases, MFA was not enabled or enforced within organizations;
• many organizations did not have a good password policy;
• organizations did not implement security updates quickly enough, even for vulnerabilities that were over a year old; and
• there was insufficient network segmentation in many organizations.

Notably, the AP detailed that in 44 cases, organizations were subject to double extortion, in that data was both encrypted by the third party and stolen.

You can read the press release here and the report here, both only available in Dutch.