Switch IT Solutions, an IT company, is not responsible for the ransomware attack on the Municipality of Hof van Twente and is not liable to pay compensation. This was the verdict of the judge in a lawsuit filed by the affected municipality.
The municipality was hit by ransomware at the end of 2020 through a brute force attack that shut down the municipality’s systems. The municipality refused to pay the ransom of 750,000 euros, after which the entire infrastructure became unusable. The municipality argued that its IT supplier, Switch IT Solutions, should have noticed the tens of thousands of login attempts and thus demanded compensation of 4 million euros.
The judge concluded that the municipality itself was responsible for the security of the systems. Hof van Twente had opened the RDP port and set an easily guessable password, and two-step verification was not enabled. In addition, changes to firewall rules had not been reported to Switch IT Solutions. Moreover, the municipality itself had requested the highest management rights. The IT supplier had warned that it could not guarantee the actions of municipal employees.
The judge also noted that Switch IT Solutions had provided good security and complied with the contract. The contract did not explicitly state that the company was obliged to report security risks, but it did state that it was required to detect signals of possible risks, particularly for the servers, storage and the network. With this functional monitoring, brute force attacks only report when capacity, performance and availability are affected. The municipality had not proven that this had happened.
Therefore, it has not been established that the IT company had not fulfilled its contractual obligations and/or had acted negligently.
