A judge has ruled that IT company Switch does not have to pay the compensation of 4 million that the Court of Twente demanded in connection with the ransomware attack in 2020. The judge believes that the municipality itself had failed and that Switch did not act negligently .
The court states that Hof van Twente itself opened the rdp port to the internet, set the easy-to-guess password ‘Welcome2020’, and had not activated two-step verification. As a result, the municipality itself would have been responsible for the ransomware attack, the judge ruled. In addition, neither the firewall rule changes nor the password change were reported to the IT company, Switch IT Solutions. The municipality itself wanted the highest management rights, which is why Switch had already warned in advance that it ‘cannot be held responsible for the consequences of the own actions of the employees of the municipality’.
The IT supplier had taken care of adequate security, according to the court, and has thereby complied with its contractual agreements. The contract did not explicitly state that the supplier was obliged to report security risks, but it did state that it was required to detect signals of risky situations. “It has been explicitly agreed that proactive monitoring only concerns the functioning of the servers, storage and network facilities. Unauthorized login attempts and/or a brute force attack will only be reported in functional monitoring if they affect the capacity, performance and availability of the The municipality has stated that this has been the case here, but has not substantiated it.”
In December 2020 a ransomware gang managed to gain access to the systems of the municipality via a brute force attack, which were infected with ransomware and therefore became unusable. The group then demanded 750,000 euro ransom . Hof van Twente refused to pay and, according to the municipality, it has lost its entire IT infrastructure. Court of Twente said that tens of thousands of login attempts were made on the servers of the municipality that were not noticed by Switch, and therefore demanded compensation of 4 million euros.