Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

Data Theft Victims Deserve Better 

By: Inge van der Beijl,

Northwave General Manager of Innovation and 

Cyber Psychologist

HuFiCon Management Memo:
Journey with the CISO

A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.

The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration. 

inge_van_der_beijl
Inge van der Beijl

Director Innovation

Inge-van-der-Beijl
Inge van der Beijl, Northwave General Manager of Innovation and Cyber Psychologist
Published: 10 March 2026

How Ransomware Takes a Toll on Indirect Victims and What Can Be Done To Help

In recent years, I have come to increasingly understand the real, significant impact of digital crime on an organisation and those involved. I’ve gained this perspective through the support Northwave provides organisations during cyber incidents and our own research on the mental impact of ransomware. Northwave’s groundbreaking report, “After the Crisis Comes the Blow”, aligns with the work of Jildau Borwell and the Australian research of Cross & Holt (2025). This research reveals that the impact of online crime is at least as profound as traditional crime. In some cases even more so.

And yet, as a society we are falling short when it comes to supporting the victims of data theft. These indirect victims didn't do anything wrong themselves but their data was the target of a ransomware attack.

Ransomware's Tremendous Toll

Almost everyone knows a cybercrime victim. In the Netherlands alone, 16% of all Dutch people aged 15 or older, more than 2.4 million people, were victims of online crime last year. And the consequences are not mild, according to the survey of Online Security & Crime 2024:

    • 37% lose confidence in others
    • 30% feel less safe
    • 5–7% develop sleep problems, anxiety or depressive symptoms

In addition, young people–the generation we call "digitally skilled"–together with vulnerable groups, are most often victims. What makes these incidents so impactful? Simply put, you can't go anywhere to avoid it and you can never 'go back' to the old situation. What we are seeing now is a shift we are still insufficiently aware of: online crime is no longer an incidental risk, but a social reality and, therefore, also a social problem.

Cyber crime feels different from offline crime for a number of reasons:

    • The incident is intangible. Unlike a home break in, victims don’t see the physical signs of the crime. Threats are anonymous, invisible, everywhere and nowhere. That gives a subconcious feeling of loss of control.
    • Shame and diminished self-image. Both Borwell and Cross & Holt show that victims regularly think: 'Should I have seen this coming?', 'Why did I fall for the scam?'. That shame is often greater than in traditional crime. It’s a bizarre reality when you consider that many victims did nothing beyond conducting mundane tasks like online banking, storing photos, or simply being a telecom customer or medical patient.
    • Permanent damage. In the event of a physical burglary, you can always replace your lock again. In the event of a data breach, stolen data will never come back. It can still surface years later, be abused, sold, combined with other datasets, without you ever noticing.
    • You cannot remove yourself from the digital crime scene. These days, our whole life is digital: personal identity, financial details, medical records, email inbox, photos, school details, address, digital services and private communication

The threat is growing. AI accelerates attacks, initial access is offered for sale on the darkweb on a large scale, and a “data only extortion” model is on the rise. With this tactic, ransomware criminals no longer encrypt anything; they steal directly. As a result, we will see many more data breaches and many more indirect victims.

The Forgotten Group: Indirect Victims

Recent ransomware incidents such as Odido or Clinical Diagnostics expose something shocking: millions of Dutch people became victims without ever being called "victim". They didn't do anything wrong, they were just a customer, patient, a citizen. Suddenly, their private data is in the public domain.

Cross & Holt conducted research among 552 Australian indirect victims of data breaches. The research found this group shows (serious) forms of: anxiety, stress, loss of confidence, relational tensions and long-term insecurity. They are victims although they have never been directly attacked. This is exactly the group that no one seems to feel responsible for. Communication makes or breaks the recovery.

The work of both Borwell and Cross & Holt highlight how crucial communication is during cyber crises and incidents. Victims especially want to know: What does this mean for my risk? What should I do now? Who helps me? However, organisations often communicate exclusively on a limited and legal basis. As a result, victims feel powerless and inadequately helped. With indirect victims, this is even more present. There is no victim assistance structure, no safety net. The police carefully take their role with check your hack. This helps victimes to at least know that their email address is involved in the incident. But it’s not clear if any additional personal data is now freely available to criminals.

As far as I am concerned, a lot needs to change. I fully agree with the call for reform from the research of Cross & Holt and Borwell. And I add a few points to that.

    • Recognise citizens as full victims of digital crime. There must be legal, social and policy recognition that a data breach is not an "accident" but a form of victimhood.
    • Establish a national 'data breach victim support line'. Not only for direct victims, but precisely for the millions of people affected by incidents at organisations. People should be able to receive: clarity about what exactly has been leaked, a risk analysis, concrete follow-up steps, help with monitoring and any psychosocial support, if necessary.
    • Oblige organisations to people-oriented, risk-driven communication. No legally inserted letters, but clear explanations, personal options for action, transparency about the nature of the data breach and support offers.
    • Make digital resilience a basic skill, not a privilege. The individual has a responsibility to close your personal digital door, but society also has a responsibility to provide necessary knowledge, context and skills.
White-Paper-Mental

I would like to conclude with the words of Borwell: “Data abuse should be seen as a new form of high-impact crime. Not because systems are affected, but because people are affected. And behind every dataset that is leaked are real people. People who had confidence and who now bear the damage.”

This article was originally shared in Dutch on Inge’s LinkedIn page. Give her a follow for regular insights on cyber psychology and cyber resilience. Northwave has 20 years of experience supporting organisations, and their people, during cyber crises and incidents. Learn how we help organisations protect sensitive data with holistic Human Risk Management and Cyber Crisis Readiness.

 

We are here for you

Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.

.