A chronological list of digital data breaches in the Netherlands (in Dutch: ‘datalekken’), in as far as they have become publicly known, since November 2007. If you have an entry to add to this list, please mail Karin Spaink, and make sure to include a reference to a news publication describing the event. The idea to create this list arose after three severe incidents occurred in a single month; the example was taken from the Privacy Rights Clearinghouse Data Breaches list.
This list is about data breaches. It’s about the unintentional leaking of data, not about exploits, hacks and/or vulnerabilities. Hence, it deals with unsecured and ‘misplaced’ data rather than with stolen data; with actual leaks rather than possible security holes; and finally, with digital data rather than paper files. Sometimes, however, it’s not easy to draw a line, so some of the items listed might be debatable. I started the list in November 2007. Older data breaches are not listed.
Rejo Zenger maintains a similar list. His criteria are slightly wider than mine. He has also spotted some data breaches that I hadn’t read about; I’ve included those. Additionally, Rejo now maintains Bits of Freedoms’ data breach pages.
- Aug 16, 2010: TV show leaks data
- July 13, 2010: City leaks bank numbers
- July 13, 2010: Tour operator leaks bookings
- July 10, 2010: 10% of hospital personnel fell for phishing test
- July 06, 2010: Psychiatric/criminal files dumped on street
- July 05, 2010: E-mail addresses disclosed
- June 06, 2010: City sends wrong file
- May 28, 2010: Sensitive DoJ data published
- May 19, 2010: 75% of NL companies have leaked data
- May 18, 2010: Travelers’ info leaked
- May 04, 2010: Bank dupes duped
- Mar 01, 2010: Data of medical applicants leaked
- Feb 27, 2010: Tax papers of civil servants leaked
- Feb 26, 2010: Data of candidates 2006 election leaked
- Feb 25, 2010: Student info often leaked
- Feb 25, 2010: Data of hundreds of politicians leaked
- Feb 08, 2010: Notary puts clients passports online
- Feb 05, 2010: City Hall leaks e-mail addresses
- Feb 05, 2010: Secret service leaks employee mail addresses
- Jan 29, 2010: University of Utrecht leaks pay slips
- Jan 27, 2010: Dpt of Public Works leaks subscribers’ data
- Dec 17, 2009: Bank employee loses USB stick
- Nov 24, 2009: Social services leak e-mail addresses
- Sep 08, 2009: Government leaks credit card numbers
- Aug 12, 2009: Press agency leaks contact database
- June 23, 2009: Stayokay hotel bookings leaked
- June 17, 2009: Emergency info leaked online
- May 30, 2009: Two telco’s hand over sms contents to intelligence service
- May 08, 2009: Hoster Vuurwerk/Tele2 leaks e-mail addresses
- May 04, 2009: Newspaper leaks e-mail addresses
- Apr 29, 2009: City police leaks e-mail addresses
- Apr 06, 2009: Dispute Committee website reveals all
- Mar 31, 2009: Magazine leaks new subscribers
- Mar 30, 2009: Bike locker codes up for grabs
- Mar 24, 2009: Police site leaks speeding pictures
- Feb 10, 2009: Free condom site leaks customer data
- Jan 02, 2009: Pathe leaks online reservations
- Dec 01, 2008: Lotto leaks 1 million data
- Nov 25, 2008: Hard disk owners don’t wipe
- Oct 22, 2008: Military official loses USB stick
- Sep 22, 2008: Provinciale Staten Limburg
- Jul 17, 2008: Fortis MeesPierson Bank
- Jul 15, 2008: T-Mobile
- Jun 06, 2008: Indonesian Embassy
- May 06, 2008: Various (Crimeserver)
- Apr 07, 2008: National Pop Institute
- Jan 18, 2008: Reader’s Digest (magazine)
- Jan 14, 2008: Planet (ISP)
- Dec 14, 2007: CZ (health insurance)
- Dec 12, 2007: Vecozo (health insurance)
- Nov 20, 2007: Dpt. of Defense
| Aug 16, 2010 | TV show leaks data | 13.000 |
| what: | Breekijzer is a by now defunct tv show to which people could send their complaints about companies, institutes and government bodies; the program would select some of these complaints and attempt to help the complainers. All (or most) of the complaints that Breekijzer received are stored in an online database; once you had logged in to see your own complaint, you could easily see all other complaints by merely changing the complaint number. Thus, 13.000 complaints were retrievable. All complaints listed name, address, telephone number, e-mail address, and gender. Often, the complaint itself has a private nature. | |
| response: | Pieter Storms – the owner of the TV show – did not respond to warnings. In the end, his ISP took measures to prevent further leaking. | |
| references: | Bits of Freedom, August 16, 2010 | |
| July 13, 2010 | City leaks bank numbers | unknown |
| what: | Private data of people who have received a building license in Groningen, is visible via the city’s website. (One needs to apply for such a license when expanding one’s house or building an addendum to it.) Data disclosed are names, addresses, bank numbers, signatures and telephone numbers. In April of this year, the city removed the general index to all approved licenses when warned that it was thus leaking data, and considered the matter done. As it turns out, simply by increasing or decreasing the file number in a url. | |
| response: | None, as of yet.. | |
| references: | Oog.tv, July 13, 2010 | |
| July 13, 2010 | Tour operator leaks bookings | unknown |
| what: | Dutch tour operator Corendon gives people who’ve booked via their site a client number and a booking number. Turns out that these are handed out sequentially, so by just increasing or decreasing the number in the query, one can see other people’s data. Visible were: destination, date of departure, return date, flight information, amount paid, amout left to be paid, plus information about all people booked: names, addresses, telephone number, date of birth. | |
| response: | Jeroen van der Gun discovered the leak and warned Corendon on June 28. On July 7, Corendon changed the login-procedure for clients, who now also have to enter an e-mail addreess to see their booking. | |
| references: |
Website Jeroen van der Dun, July 13, 2010 Bits of Freedom, July 13, 2010 |
|
| July 10, 2010 | 10% of hospital personnel fell for phishing test | 1423 |
| what: | Erasmus MC, the biggest academic hospital in The Netherlands, puts quite some effort in security awareness and data hygiene. (They participated in my September 2006 Electronic Patient Files test, and did relatively well; also, they used the results of my test to again stress the need for data hygiene among personnel.) In June, the hospital tested its own personnel by sending a hospital-wide phishing mail, asking addressees to please give their account name and password. 1423 people complied – slightly more than 10% of all Erasmus MC personnel. |
|
| response: | The board summed up the results of their test in a new mail to all personnel, and started a new campaign for data hygiene awareness. | |
| references: |
Mail of Erasmus MC to personnel, June 2010 Security.nl, July 12, 2010 |
|
| July 06, 2010 | Psychiatric/criminal files dumped on street | unknown |
| what: | DPD, the District Psychiatric Service in The Hague – which keeps the psychiatric and criminal records of (former) detainees, dumped a box full of such records on the street, together with ‘other garbage’. A passerby found the box and reported the matter to the Dutch privacy authority (CPB). This was in January 2010. The CPB has now reported about the case and discovered that for years, all medical and criminal files of detainees were stored in an unprotected cellar. | |
| response: | The CPB reminded the Dpt of Justice and DPD that records like these are highly sensitive data and merit strong protection. | |
| references: |
CPB report, June 2010 Security.nl, July 6, 2010 |
|
| July 05, 2010 | E-mail addresses disclosed | 375 |
| what: | NLKabel – a field organization for cable providers – sent its daily newsletter to subscribers. The addresses of 375 of them ended up in the e-mail itself. | |
| response: | NLKabel confirmed its mistake. | |
| references: | Bits of Freedom, 5 juli 2010 | |
| June 06, 2010 | City sends wrong file | 2800 |
| what: | After requesting a directory of the services of city X, a citizen of that city was sent not that directory, but a file containing the names of the circa 2800 people living in that city who may not renew their passport or who have to hand in their passport. Reasons why people end up on this so-called Alert List: they’ve lost their passport too often (and are suspected of fraud or trafficking in passports); they owe the government money (taxes, fines, alimony); they’ve lost Dutch nationality; they’re bankrupt; or they’re involved with criminal offenses. Every city receives an Alert List from the Dpt. of Internal Affairs once per month. | |
| response: | The Dpt. of Internal Affairs will remind all city authorities to treat the Alert List as sensitive data, and considers to send it in the form of protected digital data in the future. Currently, the ALert List is sent in paper form. | |
| references: | Dpt. of Internal Affairs, June 6, 2010 | |
| May 28, 2010 | Sensitive DoJ data published | unknown |
| what: | Various web sites have published ‘documents containing sensitive data’ from the Department of Justice’s national penitentiary task force (Landelijke Bijzondere Bijstandseenheid), who are called in when there are problems in jails. The nature and the scope of the leak is unclear, but it seems that the documents contain information about the task force’s organisation, including phone numbers. | |
| response: | The DoJ has asked the owners of the web sites concerned to remove the information and has taken ‘measures to minimalise the risk for its employees’. | |
| references: | Nu.nl, May 28, 2010 | |
| May 19, 2010 | 75% of NL companies have leaked data | 168,000 |
| what: | A study by Accenture and the Ponemon Institute shows that 75 percent of Dutch companies have had a data breach in which they lost employee, client or customer data. That’s more than the global percentage, which stands at 58 percent. | |
| response: | – | |
| references: | Security.nl, May 19, 2010 | |
| May 18, 2010 | Travellers’ info leaked | 168,000 |
| what: | The web site Ervaar het OV (Experience Public Transport) is a government site promoting the new public transport chip card (OV card). Visitors can order a personal OV card, get reduction vouchers and special offers via the site. For months, the customers database could be accessed (and changed) via a simple MySQL inject; the data of the 168,000 people who have registered via the site were available. Their data included name, address, date of birth, telephone number and e-mail address of these people, and possibly their passport number and payment method. Hacker ins3ct3d proved the leak by retrieving all the data of a journalist. | |
| response: | After having been informed of the leak, the government closed the site. The OV chip card is mandatory in some regions in NL, and will be rolled out in others in the coming months. The SP (a political party) will motion for a freeze: this is the umpteeth vulnerability/leak with regard to the OV chip card. | |
| references: | Webwereld, May 18, 2010 | |
| May 04, 2010 | Bank dupes duped | several dozen |
| what: | Many people who were duped by DSB Bank going broke, joined the foundation Hypotheekleed (‘mortgage pains’). One of them suddenly started to receive e-mails containing the names, data and mortgage information of other members. Apparently, this happened because one of the employees of the foundation entered the wrong e-mail address. | |
| response: | Hypotheekleed admitted the error and promised to be more careful in the future. | |
| references: | De Telegraaf, May 4, 2010 | |
| Mar 01, 2010 | Data of medical applicants leaked | unknown |
| what: | The data of people who applied for a specialization as general practitioner after having finished their primary medical education, leaked via the website Huisartsenopleiding. Appending a first name to a specific url was sufficient to see all of the applicant data: address, date of birth, SSN, medical ID number, education, diplomas, previous jobs, etc., if an applicant with that first name existed. | |
| response: | Huisartsenopleiding was rather shocked and immediately modified their website. | |
| references: | Bits of Freedom, March 1, 2010 | |
| Feb 27, 2010 | Tax papers of civil servants leaked | several hundreds |
| what: | The 2009 tax reports of all civil servants, city council members and assistants of the municipalty Woudenburg/Scherpenzeel were leaked; newspaper De Telegraaf received a paper copy of all papers. The papers include name, address, SSN, salaries, other income, bank savings, deductions etc of everybody working for the municipality and the city counci, from the mayor to the members of the fire brigade. It’s unclear how the data were leaked and why they were sent to the press. | |
| response: | City Hall has asked the police to investigate the matter. | |
| references: | De Telegraaf, Feb. 27, 2010 | |
| Feb 26, 2010 | Data of candidates 2006 election leaked | several hundreds |
| what: | Private information such as telephone numbers and home address of all candidates for the 2006 national election were leaked, including the address of prime minister Balkenende and several other members of the government. The data were leaked via open directories on the websites of the Zaandam and the Lith municipalities. (During the 2006 elections, many municipalities used the Nedap voting computers. The candidate lists were fed into the computers and apparently, Lith and Zaandam put this information in an unprotected directory.) | |
| response: | The open dirs were closed; Google’s cache still reveals the documents. | |
| references: | Webwereld, Feb. 26, 2010 | |
| Feb 25, 2010 | Students info often leaked | several thousands |
| what: | The teachers union (Algemene Onderwijsbond) researched how often student information is accessible via Google. They found quite a lot: list of home addresses, student reports, progress reports, assessment reports. The union notified all the universities, faculties and training colleges that were at fault. It’s the second time that the Algemene Onderwijsbond embarked on such a student privacy scan. | |
| response: | Most colleges and faculties remedied the situation as best as they could. | |
| references: | AOB, Feb. 25, 2010 | |
| Feb 25, 2010 | Data on hundreds of politicians leaked | several hundreds |
| what: | The addresses, telephone numbers, mobile phone numbers, home e-mail addresses and work e-mail addresses of hundreds of politicians (all members of the PvdA, the Dutch social democrats) and a number of their sponsors are out in the open. Although the list focuses on party members in the Amsterdam area, it also contains the data of the chair of the Dutch Parliament and several members of the European Parliament. Google has indexed the file. | |
| response: | A few hours after the news was published and the owners of the website were contacted, they managed to close the open directory. | |
| references: | Webwereld, Feb. 25, 2010 | |
| Feb 08, 2010 | Notary puts clients passports online | several hundreds |
| what: | Veilingnotaris.nl tries to list all online real estate auctions. Apparently their site is badly protected: Google has indexed quite some client information, including passport copies, notary deeds, registry information etcetera. The published information concerned both recent and old auctions. | |
| response: | Internet Notaries, the owner of veilingnotaris.nl, denied all responsibility. ‘All similar agencies publish this kind of information’, they claim, ‘and besides, it’s the responsibility of the notary who’s doing the auction.’ | |
| references: |
GeenStijl, Feb. 08, 2010 Webwereld, Feb. 08, 2010 |
|
| Feb 05, 2010 | City Hall leaks e-mail addresses | 500 |
| what: | A civil servent sent a questionnaire to 500 citizens in Tilburg, and managed to put all e-mail addresses in the CC field instead of the BCC field. | |
| response: | Some citizens weren’t pleased at all and refused to cooperate with the questionnaire. | |
| references: | Omroep Brabant, Feb. 05, 2010 | |
| Feb 05, 2010 | Secret Service leaks employee mail addresses | 4 |
| what: | In a document published by the AIVD (Dutch Secret Service) about digital espionage, the meta-data reveal the e-mail addresses of four employees. From the meta-data of another document, search engine expert Henk van Ess was able to infer part of the secret service’s internal hierarchy. | |
| response: | The AIVD admitted that they had inadvertently released this information, and have done so before; they will investigate how to stop doing this. | |
| references: | Webwereld, Feb. 05, 2010 | |
| Jan 29, 2010 | University of Utrecht leaks pay slips | unknown |
| what: | Randstad HR Solutions, which apparently takes care of the pay roll information of the employees of the University of Utrecht, made an error. Employees did not only receive their own January pay slip and yearly overviews, but also slips and overviews intended for others. Randstad HR Solutions stated that the error was made by TNT Cendris, who delivered the slips and overviews. | |
| response: | The University sent a mail to all employees informing them of the error, asked them to destroy the envelope, and will send out new pay slips and yearly overviews. Almost two weeks later, the University stated that the extra slips had only been sent to the administration office and that no data had been leaked. | |
| references: |
Security.nl, Jan. 29, 2010 Ublad Online, Feb. 9, 2010 |
|
| Jan 27, 2010 | Dpt of Public Works leaks subscribers’ data | unknown |
| what: | The Dpt of Public Works (Rijkswaterstaat) installed a new profile system on their web site that subscribers to their newsletter had to use. When logging in to the system, subscribers were presented with the personal data of the previous visitor. the leaked data included first name, last name, e-mail address. Whether one could also change the presented data is unclear. | |
| response: | The Dpt. took the system down and fixed the problem. | |
| references: | Webwereld, Jan. 27, 2010 | |
| Dec 17, 2009 | Bank employee loses USB stick | 3000 |
| what: | An employee of the Rabobank lost his USB stick, which held the data of 3000 customers. Apart from the personal information of each of those customers, the stick contained information about the various forms of investments these customers had engaged in, plus the grand sum of their total investments. Somebody found the USB stick and gave it to a regional newspaper, which then contacted the bank. | |
| response: | The bank was ‘surprised’, which indicated that the emplyee hadn’t reported the USB stick as missing. The bank said it will point out safety measures to its employees. | |
| references: |
Security.nl, Dec. 17, 2009 Nu.nl, Dec. 17, 2009 Tweakers.net, Dec. 17, 2009 |
|
| Nov 24 , 2009 | Social services leak e-mail addresses | 1151 |
| what: | UWV Harderwijk en Ommen sent an e-mail to 1151 jobless people and made the classic mistake of putting everybody in the To: field, instead of the BCC: field. | |
| response: | The UWV will enhance checks: in the future, all such mails will be inpected by a cllegue before sending them off. | |
| references: | De Stentor, Nov. 24, 2009 | |
| Sep 08, 2009 | Government leaks credit card numbers | 2 |
| what: | When releasing the declaration files of members of the government, the dpt. of Justice failed to properly blind the number and expiry date of the credit cards of the minister of Health and the minister of Justice. | |
| response: | Both ministers had to be issued new credit cards. | |
| references: |
Nu.nl, Sep 8, 2009 GeenStijl, Sep 8, 2009 |
|
| Aug 12, 2009 | Press agency leaks contact database | thousands |
| what: | Press agency GPD managed to allow Google to index its contact database stored on their intranet, thus releasing phone numbers of thousands of well-known Dutch people. Among those whose contact information was published, were the Dutch prime minister; politician Geert Wilders, lawyer Gerard Spong and tv host Felix Meurders. | |
| response: | The GPD blamed the company maintaining their intranet. | |
| references: |
Tweakers, Aug, 12, 2009 NRC Handelsblad, Aug 12, 2009 |
|
| June 23, 2009 | Stayokay hotel bookings leaked | unknown |
| what: | By lowering the number in the url where your booking is accessible, one could retrieve other people’s hotel bookings. Name, address and dates of stay were visible. | |
| response: | Stayokay fixed their web site. | |
| references: | Tweakers.net, June 23, 2009 | |
| June 17, 2009 | Emergency info leaked online | unknown |
| what: | The information that emergency services such as ambulances send to one another, was transmitted unencrypted. Because the C2000 system in Brabant (a Dutch province) didn’t have full coverage, emergency services used P2000 instead, which sends unanonymized data: name, address, ailment etc. In one case, information was put online containing the information of a suicide attempt gone wrong. | |
| response: | Brabant will get more extensive C2000 coverage. | |
| references: | Security.nl, June 17, 2009 | |
| May 30, 2009 | Two telco’s hand over sms contents to intelligence | unknown |
| what: | Telco’s Vodafone and T-Mobile decided it was to much hassle to separate traffic data from content. When the Dutch intelligence service AIVD asked them for traffic data of sms messages, they delivered the content as well. The practice continued even after Vodafone and T-Mobile were informed of their error. | |
| response: | Both companies claimed that it was impossible to separate traffic data from content. When competitor KPN announced it had no problem doing so, Vodafone and T-Mobile promised to change their policy. In Jan 2010, this ‘mistake’ earned both telco’s a Big Brother Award nomination. | |
| references: |
NRC Handelsblad, May 30, 2009 Tweakers.net, May 30, 2009 |
|
| May 08, 2009 | Hoster Vuurwerk/Tele2 leaks e-mail addresses | 114.093 subscribers |
| what: | Due to a patch in Majordomo that was never installed, a simple ‘which @’ command sent by mail resulted in a list of all 114.093 people who were subscribed to any of Vuurwerk’s mailing lists. | |
| response: | The hoster apalogized and fixed the error. | |
| references: | Webwereld, May 8, 2009 | |
| May 04, 2009 | Newspaper leaks e-mail addresses | 32.781 people |
| what: | A .txt file containing 32.781 e-mail addresses of people who are subscribed to the electronic newsletter of Het Dagblad van het Noorden was openly on the newspaper’s website. The list has leaked to the net and has been indexed by dearch enigines. | |
| response: | The newspaper apologized. | |
| references: |
Fok.nl, May 4, 2009 Nu.nl, May 4, 2009 |
|
| Apr 29, 2009 | City police leaks e-mail addresses | 650 people |
| what: | When attempting to manually send a newsletter, informing people in Delft of a plan to enlist citizens in the solving of crimes, a police spokeswoman accidentally put the e-mail addresses of 650 people in the cc-field instead of the bcc-field. | |
| response: | The person who made the mistake, offered her excuse. | |
| references: | Webwereld, April 29, 2009 | |
| Apr 6, 2009 | Dispute Committee leaks all | ca. 40.000 claimants |
| what: | The website of the Dispute Committee – a governmental body that resolves disputes between citizens and corporations – showed to have been badly protected for more than a year. People who had been given a case number and a login, could access all other cases on the website. Reporter Jeroen Wollaars (who had a login because he was involved in a case at the Dispute Committee) could retrieve documents going as far back as 2005, and could access other people’s claims, company counter claims, pleas, bills, financial reports, and other sensitive data. The Committee deals with more than 10.000 claims per year; all these documents were retrievable. | |
| response: | The Dispute Committee closed their website, stating they would only re-open it after a thorough security check. A month later, the website was still closed. | |
| references: | NOS, April 6, 2009 | |
| Mar 31, 2009 | Magazine leaks new subscribers | 80-90 subscribers |
| what: | Bright, a magazine about technology and internet, had an error on the site that leaked the personal data – name, home address, bank account, mobile number – of people who had recently subscribed through the website. Google had already indexed the data, as security expert and recent subscriber Geert Booster discovered. | |
| response: | The site was fixed, Google was asked to flush its cache. | |
| references: |
Webwereld, Mar 31, 2009 Bright, Mar 31, 2009 |
|
| Mar 30, 2009 | Bike locker codes up for grabs | 50.000 customers |
| what: | The personal details – name, home address, bank account, card number and unlock code – of the 50.000 people who have a subscription with OV-fiets, where they rent a bike locker at train stations, were available through the OV-fiets website. To retrieve personal data from the website, no password was needed, only a ‘personal’ number. By typing in subsequent numbers, other people’s data were freely available. | |
| response: | The site was fixed after security expert and OV-fiets customer Mendel Mobach alerted OV-fiers. | |
| references: |
Webwereld, Mar 30, 2009 Bright, Mar 30, 2009 |
|
| Mar 24, 2009 | Police site leaks speeding pictures | unknown |
| what: | People who have received a speeding ticket can check the pictures used as evidence at Mijnpolitiebureau.nl. Unfortunately, the site allowed browsing through other pictures which showed cars, license plate, date and location. | |
| response: | The site was fixed. | |
| references: |
De Telegraaf, Mar 24, 2009 Tweakers, Mar 24, 2009 |
|
| Feb 2, 2009 | Condom site leaks customer data | 10.000 customers |
| what: | The website GratisCondoom.com, that mails free condoms to young people at their request, sends customers a mail with a client number. By changing the number, one could access other clients and see all their data, including name, address, zip code and city. More than 10.0000 customers were affected. What’s especially painful is that the service is intended for youngsters who are shy to buy condoms in a shop. | |
| response: | The site was adjusted immediately after a customer notified them of the faulty security. | |
| references: | NU.nl, Feb 10, 2009 | |
| Dec 01, 2008 | Lotto leaks data | 1 million people |
| what: | The Dutch Lotto bought the addresses of subscribers toveronica Magazine and sent them a letter with a special action code to be used on a web site. Due to faulty security, all names and addresses were retrievable, sorted by postal code. Subscribers to the magazine didn’t even know that their data had been sold. | |
| response: | Lotto adjusted the site after having been informed about the error. | |
| references: | Webwereld, Dec 1, 2008 | |
| jan 2, 2009 | Pathe leaks online reservations | all online customers |
| what: | A publicly accessible computer in a an Amsterdam Pathe cinema allowed browsing of the system via the trash can. People could access a list containg information of all people who had made internet reservations in 208. | |
| response: | Pathe did not comment. | |
| references: | Bright, Jan 2, 2009 | |
| Nov 25, 2008 | Half of discarded hard disks contain private data | unknown |
| what: | An investigation by Surfnet shows that half of all discarded hard disks contain confidential data. The organization bought secondhand hard disks in computer shops. Many disks turned out to contain private and confidential data. Some disks had clearly belonged to businesses and organizations. Amongst others, Surfnet found a complete database of a health organization, internal data from the IT department of an airplane company, and confidential data belonging to private persons. | |
| response: | The advice to properly wipe hard disks before reselling them. | |
| references: |
Surfnet press release, Nov 25, 2008 Surfnet report, Nov 25, 2008 |
|
| Oct 26, 2008 | Militairy official loses USB stick | unknown |
| what: | A military official lost a USB stick, which was later found by two guys from The Hague, who subsequently tried to blackmail him and threatened to report their findings to the press. The official finally reported his problems to the Military Police, who set up a fake meeting with the blackmailers and arrested them. | |
| response: | The Military Police is investigating whether the official had a right to transfer data to a USB stick. | |
| references: | Security.nl, Oct 22, 2008 | |
| Sept 22, 2008 | Provinciale Staten Limburg | unknown |
| what: | Due to a mail server configuration error, a member of one political party within the Provincial States of Limburg received the internal mail of another political party. Due to the often “explosive content” of those mails, Pierre Diederen (SP). the recipient, believed that somebody from within the CDA was actually leaking these e-mails. After two months, he warned the CDA. | |
| response: | Diederen was taken off the CDA mailing list. | |
| references: |
Tweakers, Sept 22, 2008 Techzine, Sept 22, 2008 |
|
| July 17, 2008 | Fortis MeesPierson Bank | unknown |
| what: | Fortis MeesPierson Bank, who accepts only clients worth more than 1 million euro, had an internal document in an open directory. The file contained data about Fortis MeesPierson’s richest clients: name, address, amount of savings, their investments, mortgage etc. The error was discovered by journalists from Z24. | |
| response: | Z24 contacted Fortis, who removed the document. | |
| references: |
Z24.nl, July 17, 2008 Security.nl, July 18, 2008 |
|
| July 15, 2008 | T-Mobile | 20 people |
| what: | A T-Mobile shop sent out a mail to 20 customers informing them that their reservation for an iPhone had been duly processed. The shop put all the addressees in the cc-field, allowing all of them to see one another’s name. | |
| response: | The main T-Mobile office sent a warning to all local shops, reminding them of the privacy procedures. | |
| references: | Webwereld, July 15, 2008 | |
| June 6, 2008 | Indonesian Embassy | 25,000 people |
| what: | The Indonesian Embassy had a vulnerability on their website visa4indonesia.nl, allowing visitors to see the data (name, address, travel information, passport numbers) of 25.000 Dutch people who had applied online for an Indonesian visa since 2007. The error was discovered by Orne Brocaar, while he himself applied for a visa. | |
| response: | Ornaar contacted the Embassy, who then reputedly fixed the error. There was some concern that Google might meanwhile have crawled the documents. | |
| references: | Webwereld, June 6, 2008 | |
| May 6, 2008 | Various (Crimeserver) | unknown |
| what: | Security firm Finjan discovered a web server controlled by criminals, containing more than 1.4 Gigabyte of business and personal data stolen from infected PCs. The data consisted of 5,388 unique log files. The compromised data came from all around the world and contained information from individuals, businesses, as well as renowned organizations, including healthcare providers. The server contained among others 571 log files from the US, 621 from Germany, 322 from France, 308 from India, 232 from Great Britain, 150 from Spain, 86 from Canada, 58 from Italy, 46 from the Netherlands, and 1,037 from Turkey. The web server contained malware that stole information from infected PC’s and then stored that data on the web server, ‘without any access restrictions or encryption, the data were freely available for anyone on the web, including criminal elements.’ Finjan found compromised patient data, bank customer data, business-related email communications and Outlook accounts containing email communication. |
|
| response: | Finjan contacted at least 40 companies whose computers had been compromised. | |
| references: |
Finjan, May 6, 2008 Webwereld, May 7, 2008 |
|
| April 7, 2008 | National Pop Institute | unknown |
| what: | The Dutch National Pop Institute managed to briefly publish telephone numbers, home addresses and mail adresses of Dutch pop musicians, managers, music industry VIPs and pop music journalists on its website. Amongst those affected are a number of famous people. | |
| response: | The data was removed. On its website, the NPI did not mention the incident. | |
| references: | Nu.nl, 8 april 2008 | |
| Jan 18, 2008 | Reader’s Digest (magazine) | 47.000 addressees |
| what: | Reader’s Digest has moved its ‘You might become a winner’ direct mails over to e-mail, and spammed 46.962 people. The mail contained a link to ‘your personal data’ and ‘your unique code’. By changing the code in the url, the name and full postal address of all 47.000 spam recipients could be seen. | |
| response: | Reader’s Digest CEO Margit de Koning said she was upset and would investigate the matter. She did not close the faulty website. | |
| references: | De Telegraaf, 18 jan 2008 | |
| Jan 14, 2008 | Planet (ISP) | 2,5 million customers |
| what: | One of the sysadmins of Planet, a Dutch ISP, stored a backup of all client data in a user account, as the result of a typing error (the user’s account and the sysadmin’s differed by only one letter). The user warned Planet two weeks ago, but Planet did not take any action. The file contains the user names, aliasses, IP addresses, encrypted passwords and used services of all private and business Planet accounts. Using hashmaster, the user could decrypt all passwords. | |
| response: | Planet ingored the matter until the story spread. It then asked the user to delete the file. Planet claims that it will change its back-up policy. | |
| references: |
Tweakers, 14 jan 2008 Nu.nl, 14 jan 2008 Security.nl, 14 jan 2008 |
|
| Dec 14, 2007 | CZ (health insurance) | 55.000 people |
| what: | CZ, a health insurance company, was informed that through sloppy security, the names, address, telephone number, social security number, bank information, date of birth and type of insurance of prospective clients who had filled in a web form for a quotation, were out in the open. | |
| response: | CZ didn’t do anything. But when the news hit the media five days after they were informed, they closed that part of their web site and apologised. | |
| references: |
AD, 14 dec 2007 Webwereld, 14 dec 2007 |
|
| Dec 12, 2007 | Vecozo (health insurance) | almost all insured people |
| what: | Vecozo, an organisation set up by health insurance companies, has created a password and certificate protected web site where professionals can check whether patients are indeed insured. The newspaper Trouw discovered that currently, 80.000 people can access those data: not only health professionals, but also nurses, home carers and taxi drivers. In other words: 1 out of every 200 in NL has access to the site. One can access name, date of birth, address and social security number of those insured. It’s possible to find the addresses of well-known people and of people who have secret addresses (for instance, battered women who’ve fled their husbands). | |
| response: | Vecozo declared that one could not access telephone numbers and refrained from all other comments. | |
| references: |
Trouw, 12 dec 2007 Webwereld, 12 dec 2007 |
|
| Nov 20, 2007 | Ministry of Defense | several thousands marines |
| what: | A 340 page list with names, home addresses, functions and ranks of marine personnel was inadvertedly put on a Defense web site. Among them were the names and addresses of marines working for defense intelligence. The list was an internal document and not meant for publication. | |
| response: | Defense removed the list after two days, but it lingered on several Defense operated servers for several days. After an assessment of the problem by prof. Chris Verhoef, the department finally took down the website in mid December. | |
| references: |
AD, 20 nov 2007 Webwereld, 21 nov 2007 Automatiseringsgids, 6 december 2007 |
|
Linkje naar https://www.bof.nl/ons-werk/prive-gegevens/zwartboekdatalekken er bij?