General notification from Vestas Wind Systems A/S

Aarhus, 08 December 2021

Notification of personal data breach Vestas Wind Systems A/S (“Vestas”) has been the target of a cyber security incident which involved hackers compromising and gaining unauthorised access to data stored on Vestas internal file share systems.

This notification is to inform Vestas employees and business partners that the cyber security incident involved a breach of personal data.

In order to ensure a timely notification of affected employees and business partners and due to challenges in identifying all individuals whose personal data has been compromised, Vestas has decided to provide this public notification of the personal data breach.

How the data breach might have affected your personal data?
The hackers managed to retrieve data from the compromised internal file share systems and has made some of the compromised data public. There are no indications that personal data outside Vestas internal file share systems was compromised.

Upon becoming aware of the cyber security incident on 19 November 2021, Vestas immediately involved relevant authorities and IT security experts to assist and perform a thorough forensics investigation. The aim of this investigation was to identify the data that had been compromised and any individuals whose personal data had been affected. The investigation is still ongoing, but Vestas has received confirmation that some of the compromised data has been leaked by the attackers and potentially offered to third parties.

The investigation carried out by Vestas suggests that the hackers’ have not specifically targeted personal data. However, the hackers have managed to retrieve files from Vestas’ internal file share systems, which, among other things, contained personal data.

While the personal data varies between the different files retrieved by the hackers, the majority of the personal data that has been compromised falls within the following types of personal data: names and contact details, including addresses, emails, phone numbers, country of residence, education, training and professional skills, pictures, information related to job applications and CVs, information related to the management of employment, salary information, employment documents (contracts etc.), information on absence and leave, and travel information.

In some instances, the investigations have identified that the files retrieved by the hackers contain more sensitive categories of personal data, including information regarding marital status and next of kin, identification documents (passports, birth certificates, work permits and driver’s license), social security numbers, medical certificates, injury reports, and bank account information.

It is important to reiterate that not all employees and business partners of Vestas have been affected by the cyber security incident and the majority of the compromised personal data is not of a sensitive nature. If Vestas, as part of the investigation, identifies individuals whose personal data is compromised, Vestas will to the extent possible notify the affected individuals, if it is assessed that this is appropriate given the risk to such individuals. 

However, due to the potential risk caused by the leak of personal data, Vestas encourages that all employees and business partners continue to stay vigilant of any indications of misuse of their personal data.

What is Vestas doing to protect your personal data?

Immediately upon Vestas becoming aware of the cyber security incident, an incident response was initiated to stop the attack and prevent further unauthorised access to Vestas’ data. This involved a thorough forensics investigation, shutting down the affected IT systems and cleaning, restoring and hardening the systems before taking them back into operation. Vestas reviews and evaluates the above measures on a ongoing basis in order to verify that these remain effective.

Who can you contact if you have further questions?
If you have any questions or concerns about your personal data or this notification, please reach out to us through our dedicated email, and we will get back to you as soon as possible.

Email: Cyberincident@vestas.com

Kind regards,
Henrik Andersen




Hedeager 42, 8200 Aarhus, Denmark
Tel: +45 9730 0000, Fax: +45 9730 0001, vestas@vestas.com, vestas.com
Bank: Nordea Bank Danmark A/S, Reg. No.: 2100,
Account No.: DKK 0651 117097 - EUR 5005 677997
Company Reg. No.: 10 40 37 82, Company Reg. Name: Vestas Wind Systems A/S