A chronological list of severe data breaches in the Netherlands, in as far as
they've become publicly known. If you have an entry to add to this list, please
mail Karin Spaink, and make sure to include
a reference to a news publication discussing the event. The idea to create such a
list arose after three severe incidents in the course of four weeks; the example
was taken from the Privacy Rights Clearinghouse Data Breaches list.
|
| April 7, 2008 |
National Pop Institute |
unknown |
| what: |
The Dutch National Pop Institute managed to briefly publish telephone numbers,
home addresses and mail adresses of Dutch pop musicians, managers, music industry VIPs and pop music
journalists on its website. Amongst those affected are a number of famous people.
|
| response: |
The data was removed. On its website, the NPI did not mention the incident. |
| references: |
Nu.nl, 8 april 2008
|
|
| Jan. 18, 2008 |
Reader's Digest (magazine) |
47.000 addressees |
| what: |
Reader's Digest has moved its 'You might become a winner' direct mails
over to e-mail, and spammed 46.962 people. The mail contained a link to 'your personal
data' and 'your unique code'. By changing the code in the url, the name and full postal
address of all 47.000 spam recipients could be seen.
|
| response: |
Reader's Digest CEO Margit de Koning said she was upset and would investigate
the matter. She did not close the faulty website. |
| references: |
De Telegraaf, 18 jan 2008
|
|
| Jan. 14, 2008 |
Planet (ISP) |
2,5 million customers |
| what: |
One of the sysadmins of Planet,
a Dutch ISP, stored a backup of all client data in a user account, as the result of a typing error
(the user's account and the sysadmin's differed by only one letter). The user warned Planet two
weeks ago, but Planet did not take any action. The file contains the user names, aliasses, IP addresses,
encrypted passwords and used services of all private and business Planet accounts. Using hashmaster,
the user could decrypt all passwords.
|
| response: |
Planet ingored the matter until the story spread. It then asked the user to delete
the file. Planet claims that it will change its back-up policy. |
| references: |
Tweakers, 14 jan 2008
Nu.nl, 14 jan 2008
Security.nl, 14 jan 2008
|
|
| Dec. 14, 2007 |
CZ (health insurance) |
55.000 people |
| what: |
CZ, a health insurance company, was
informed that through sloppy security, the names, address, telephone number, social security number,
bank information, date of birth and type of insurance of prospective clients who had filled in a web
form for a quotation, were out in the open.
|
| response: |
CZ didn't do anything. But when the news hit the media five days after they were
informed, they closed that part of their web site and apologised. |
| references: |
AD, 14 dec 2007
Webwereld, 14 dec 2007
|
|
| Dec. 12, 2007 |
Vecozo (health insurance) |
almost all insured people |
| what: |
Vecozo, an organisation set
up by health insurance companies, has created a password and certificate protected web site where
professionals can check whether patients are indeed insured. The newspaper Trouw discovered that
currently, 80.000 people can access those data: not only health professionals, but also nurses,
home carers and taxi drivers. In other words: 1 out of every 200 in NL has access to the site. One
can access name, date of birth, address and social security number
of those insured. It's possible to find the addresses of well-known people and of people who have
secret addresses (for instance, battered women who've fled their husbands).
|
| response: |
Vecozo declared that one could not access telephone numbers and refrained from all other comments. |
| references: |
Trouw, 12 dec 2007
Webwereld, 12 dec 2007
|
|
| Nov. 20, 2007 |
Ministry of Defense |
several thousands marines |
| what: |
A 340 page list with names, home addresses, functions and ranks of marine
personnel was inadvertedly put on a Defense web site. Among them were the names and addresses
of marines working for defense intelligence. The list was an internal document and not meant for
publication.
|
| response: |
Defense removed the list after two days, but it lingered on several Defense
operated servers for several days. After an assessment of the problem by prof. Chris Verhoef, the department finally took down the website in mid December. |
| references: |
AD, 20 nov 2007
Webwereld, 21 nov 2007
Automatiseringsgids, 6 december 2007
|
|
