A chronological list of digital data breaches in the Netherlands, in as far as they have become publicly known, since November 2007. If you have an entry to add to this list, please mail Karin Spaink, and make sure to include a reference to a news publication describing the event. The idea to create this list arose after three severe incidents in the course of four weeks; the example was taken from the Privacy Rights Clearinghouse Data Breaches list.
This list is about data breaches, not about exploits, hacks and/or vulnerabilities. Hence, it deals with unsecured and ‘misplaced’ data rather than with stolen data; with actual leaks rather than possible holes; and finally, with digital data rather than paper files. Sometimes, however, it’s not too easy to draw a line, so some of the items listed might be debatable.
I started the list in November 2007. Older data breaches are not listed.
- October 22, 2008: Military official loses USB stick
- September 22, 2008: Provinciale Staten Limburg
- July 17, 2008: Fortis MeesPierson Bank
- July 15, 2008: T-Mobile
- June 6, 2008: Indonesian Embassy
- May 6, 2008: Various (Crimeserver)
- April 7, 2008: National Pop Institute
- January 18, 2008: Reader’s Digest (magazine)
- January 14, 2008: Planet (ISP)
- December 14, 2007: CZ (health insurance)
- December 12, 2007: Vecozo (health insurance)
- November 20, 2007: Dpt. of Defense
| Oct 26, 2008 | Militairy official loses USB stick | unknown |
| what: | A military official lost a USB stick, which was later found by two guys from The Hague, who subsequently tried to blackmail him and threatened to report their findings to the press. The official finally reported his problems to the Military Police, who set up a fake meeting with the blackmailers and arrested them. | |
| response: | The Military Police is investigating whether the official had a right to transfer data to a USB stick. | |
| references: | Security.nl, Oct 22, 2008 | |
| Sept 22, 2008 | Provinciale Staten Limburg | unknown |
| what: | Due to a mail server configuration error, a member of one political party within the Provincial States of Limburg received the internal mail of another political party. Due to the often “explosive content” of those mails, Pierre Diederen (SP). the recipient, believed that somebody from within the CDA was actually leaking these e-mails. After two months, he warned the CDA. | |
| response: | Diederen was taken off the CDA mailing list. | |
| references: |
Tweakers, Sept 22, 2008 Techzine, Sept 22, 2008 |
|
| July 17, 2008 | Fortis MeesPierson Bank | unknown |
| what: | Fortis MeesPierson Bank, who accepts only clients worth more than 1 million euro, had an internal document in an open directory. The file contained data about Fortis MeesPierson’s richest clients: name, address, amount of savings, their investments, mortgage etc. The error was discovered by journalists from Z24. | |
| response: | Z24 contacted Fortis, who removed the document. | |
| references: |
Z24.nl, July 17, 2008 Security.nl, July 18, 2008 |
|
| July 15, 2008 | T-Mobile | 20 people |
| what: | A T-Mobile shop sent out a mail to 20 customers informing them that their reservation for an iPhone had been duly processed. The shop put all the addressees in the cc-field, allowing all of them to see one another’s name. | |
| response: | The main T-Mobile office sent a warning to all local shops, reminding them of the privacy procedures. | |
| references: | Webwereld, July 15, 2008 | |
| June 6, 2008 | Indonesian Embassy | 25,000 people |
| what: | The Indonesian Embassy had a vulnerability on their website visa4indonesia.nl, allowing visitors to see the data (name, address, travel information, passport numbers) of 25.000 Dutch people who had applied online for an Indonesian visa since 2007. The error was discovered by Orne Brocaar, while he himself applied for a visa. | |
| response: | Ornaar contacted the Embassy, who then reputedly fixed the error. There was some concern that Google might meanwhile have crawled the documents. | |
| references: | Webwereld, June 6, 2008 | |
| May 6, 2008 | Various (Crimeserver) | unknown |
| what: | Security firm Finjan discovered a web server controlled by criminals, containing more than 1.4 Gigabyte of business and personal data stolen from infected PCs. The data consisted of 5,388 unique log files. The compromised data came from all around the world and contained information from individuals, businesses, as well as renowned organizations, including healthcare providers. The server contained among others 571 log files from the US, 621 from Germany, 322 from France, 308 from India, 232 from Great Britain, 150 from Spain, 86 from Canada, 58 from Italy, 46 from the Netherlands, and 1,037 from Turkey. The web server contained malware that stole information from infected PC’s and then stored that data on the web server, ‘without any access restrictions or encryption, the data were freely available for anyone on the web, including criminal elements.’ Finjan found compromised patient data, bank customer data, business-related email communications and Outlook accounts containing email communication. |
|
| response: | Finjan contacted at least 40 companies whose computers had been compromised. | |
| references: |
Finjan, May 6, 2008 Webwereld, May 7, 2008 |
|
| April 7, 2008 | National Pop Institute | unknown |
| what: | The Dutch National Pop Institute managed to briefly publish telephone numbers, home addresses and mail adresses of Dutch pop musicians, managers, music industry VIPs and pop music journalists on its website. Amongst those affected are a number of famous people. | |
| response: | The data was removed. On its website, the NPI did not mention the incident. | |
| references: | Nu.nl, 8 april 2008 | |
| Jan 18, 2008 | Reader’s Digest (magazine) | 47.000 addressees |
| what: | Reader’s Digest has moved its ‘You might become a winner’ direct mails over to e-mail, and spammed 46.962 people. The mail contained a link to ‘your personal data’ and ‘your unique code’. By changing the code in the url, the name and full postal address of all 47.000 spam recipients could be seen. | |
| response: | Reader’s Digest CEO Margit de Koning said she was upset and would investigate the matter. She did not close the faulty website. | |
| references: | De Telegraaf, 18 jan 2008 | |
| Jan 14, 2008 | Planet (ISP) | 2,5 million customers |
| what: | One of the sysadmins of Planet, a Dutch ISP, stored a backup of all client data in a user account, as the result of a typing error (the user’s account and the sysadmin’s differed by only one letter). The user warned Planet two weeks ago, but Planet did not take any action. The file contains the user names, aliasses, IP addresses, encrypted passwords and used services of all private and business Planet accounts. Using hashmaster, the user could decrypt all passwords. | |
| response: | Planet ingored the matter until the story spread. It then asked the user to delete the file. Planet claims that it will change its back-up policy. | |
| references: |
Tweakers, 14 jan 2008 Nu.nl, 14 jan 2008 Security.nl, 14 jan 2008 |
|
| Dec 14, 2007 | CZ (health insurance) | 55.000 people |
| what: | CZ, a health insurance company, was informed that through sloppy security, the names, address, telephone number, social security number, bank information, date of birth and type of insurance of prospective clients who had filled in a web form for a quotation, were out in the open. | |
| response: | CZ didn’t do anything. But when the news hit the media five days after they were informed, they closed that part of their web site and apologised. | |
| references: |
AD, 14 dec 2007 Webwereld, 14 dec 2007 |
|
| Dec 12, 2007 | Vecozo (health insurance) | almost all insured people |
| what: | Vecozo, an organisation set up by health insurance companies, has created a password and certificate protected web site where professionals can check whether patients are indeed insured. The newspaper Trouw discovered that currently, 80.000 people can access those data: not only health professionals, but also nurses, home carers and taxi drivers. In other words: 1 out of every 200 in NL has access to the site. One can access name, date of birth, address and social security number of those insured. It’s possible to find the addresses of well-known people and of people who have secret addresses (for instance, battered women who’ve fled their husbands). | |
| response: | Vecozo declared that one could not access telephone numbers and refrained from all other comments. | |
| references: |
Trouw, 12 dec 2007 Webwereld, 12 dec 2007 |
|
| Nov 20, 2007 | Ministry of Defense | several thousands marines |
| what: | A 340 page list with names, home addresses, functions and ranks of marine personnel was inadvertedly put on a Defense web site. Among them were the names and addresses of marines working for defense intelligence. The list was an internal document and not meant for publication. | |
| response: | Defense removed the list after two days, but it lingered on several Defense operated servers for several days. After an assessment of the problem by prof. Chris Verhoef, the department finally took down the website in mid December. | |
| references: |
AD, 20 nov 2007 Webwereld, 21 nov 2007 Automatiseringsgids, 6 december 2007 |
|