Security incident

  • Updated on Feb 24, 2026
  • Published on Feb 12, 2026
  • 5 minute(s) read
  • AR
  • TR
  • KH
 Prev Next

This status page contains all currently available information about the security incident that occurred on February 11th. OTYS will update this page as new or relevant information becomes available. If an unusual situation applies to your organization, or if the investigation reveals details that apply specifically to your organization, you will be informed personally.

Introduction

On February 11 2026, OTYS identified and contained a security incident involving the misuse of an upload functionality within its environment.
The incident resulted in the execution of malicious scripts and the sending of phishing emails from within the OTYS system.

A phishing email is currently circulating that misuses the otys.nl domain. This email was not sent by OTYS.
The email appears to originate from: ASN-kantoor – pentest@otys.nl

The message claims that your security device is outdated and that your access to online banking has been temporarily restricted. It then asks you to update your “security” via a button in the email.

This is a fraudulent attempt to obtain sensitive information.

What should you do?

If you have received this email:

  • Do not click on any links in the email.

  • Do not provide any personal or login details.

  • Delete the email from your inbox immediately.

If you have clicked the link or entered information:

  • Please contact your IT department or security officer immediately.

We are actively monitoring the situation and have taken appropriate measures to prevent further misuse.

What data may have been accessed?

Our investigation shows that, in some cases, access was obtained to contact details stored in the database.

Based on our current findings, this concerns only:

  • Email addresses

of users, candidates, and/or contact persons.

For a limited number of customers there is an indication that also other data was accessed. These customers have been personally informed. If this applies to your organization, you have been informed. If you have any doubts or questions, please feel free to contact us. There is no evidence that passwords, financial data, identification documents, national identification numbers, or other sensitive information were involved.

While email addresses qualify as personal data, they do not constitute special categories of personal data or highly sensitive information. We therefore assess the impact on individuals’ privacy to be limited.

Nevertheless, we take this incident very seriously.

Measures taken

As soon as the incident was identified:

  • The unauthorized access was immediately blocked.

  • Additional security measures were implemented.

  • Affected functionalities were disabled to prevent recurrence.

In a very limited number of cases, we are proactively contacting affected customers and requesting that they change the password of the relevant relay server as a precautionary measure.
This is a preventive step, even though we have no indications that these credentials have been misused.

We continue to actively monitor the situation.

Legal framework

OTYS acts as a data processor under the General Data Protection Regulation (GDPR). Our customers are the data controllers.

This means that:

  • The responsibility for notifying affected individuals lies with the data controller.

  • OTYS cannot independently contact data subjects.

We fully support our customers by providing all relevant information necessary for them to fulfill their legal obligations properly.

In accordance with applicable laws and regulations, we are currently assessing whether this incident meets the threshold for notification to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). If required, we will submit a formal notification.

FAQ

LAST UPDATE 24/02/2026 13:27 PM

FAQ

Was OTYS not properly secured?

Security of our infrastructure, customer data, and personal data is our highest priority. One of the ways this commitment is reflected is our ISO 27001 certification, awarded by an independent auditor. We continuously invest in strengthening our resilience, and are using this incident as an opportunity to conduct a thorough evaluation and further enhance our security measures.

How was unauthorized access obtained?


Through advanced scripting technology, the attackers were able to abuse email addresses  for a phishing campaign.

What concrete measures have been taken to prevent recurrence or further impact?


The ability to execute scripts from the upload environment has been disabled at a global level.

Is an investigation being conducted into potential delayed hacking opportunities?


The relevant web form with upload functionality is no longer available, and the affected functionalities have been disabled to prevent recurrence.

Can you provide a list of the specific email addresses that may have been exposed?


For the time being, we assume that all registered email addresses may have been accessible to the attackers.

How many of our candidates were affected by this incident?


The exact scope is unknown, as it concerns an unsorted collection of email addresses, without any link between the email address of the candidate/contact person/user and your company.

When and how will affected individuals be informed?


OTYS acts as a data processor in this relationship and therefore cannot independently inform data subjects. Independent communication from OTYS would not be appropriate within our role and the contractual agreements in place.

During what period did the unauthorized access take place?


Access log analysis shows that the first malicious scripts were executed on Sunday, February 8 at 20:00. After several unsuccessful attempts, the attackers succeeded on February 11 around 18:00 in launching a phishing campaign by email from within the OTYS system. Within one hour of detection, the unauthorized access was blocked and customers were informed via an email titled Important Security Update from OTYS.

What logging and forensic findings are available?


All logging has been secured and is being investigated in cooperation with forensic IT experts.

Was access limited to viewing only, or was copying/exporting also possible?


Viewing only, to the best of our knowledge at this stage of the investigation.

Has it been established whether the data was used for purposes other than sending phishing emails?


It has been established that the collected data (email addresses) has not been used for purposes other than the phishing campaign, to the best of our knowledge at this stage of the investigation.

What additional security measures have been implemented?


The relevant web form with upload functionality is no longer available, and the affected functionalities have been disabled to prevent recurrence. The ability to execute scripts from the upload environment has been disabled at a global level.

Was this an individual account compromise or a system-level compromise?


Neither; no account credentials were compromised. However, it was possible to upload and execute scripts.

Was MFA enabled on the affected account?


Not applicable; no account credentials were compromised.

Has OTYS already conducted a preliminary risk assessment?


Yes. A shareable version is currently being prepared.

Does OTYS intend to independently notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)?

Yes.