Dutch data breaches (Aug 16)

A chronological list of digital data breaches in the Netherlands (in Dutch: ‘datalekken’), in as far as they have become publicly known, since November 2007. If you have an entry to add to this list, please mail Karin Spaink, and make sure to include a reference to a news publication describing the event. The idea to create this list arose after three severe incidents occurred in a single month; the example was taken from the Privacy Rights Clearinghouse Data Breaches list.

This list is about data breaches. It’s about the unintentional leaking of data, not about exploits, hacks and/or vulnerabilities. Hence, it deals with unsecured and ‘misplaced’ data rather than with stolen data; with actual leaks rather than possible security holes; and finally, with digital data rather than paper files. Sometimes, however, it’s not easy to draw a line, so some of the items listed might be debatable. I started the list in November 2007. Older data breaches are not listed.

Rejo Zenger maintains a similar list. His criteria are slightly wider than mine. He has also spotted some data breaches that I hadn’t read about; I’ve included those. Additionally, Rejo now maintains Bits of Freedoms’ data breach pages.

  1. Aug 16, 2010: TV show leaks data
  2. July 13, 2010: City leaks bank numbers
  3. July 13, 2010: Tour operator leaks bookings
  4. July 10, 2010: 10% of hospital personnel fell for phishing test
  5. July 06, 2010: Psychiatric/criminal files dumped on street
  6. July 05, 2010: E-mail addresses disclosed
  7. June 06, 2010: City sends wrong file
  8. May 28, 2010: Sensitive DoJ data published
  9. May 19, 2010: 75% of NL companies have leaked data
  10. May 18, 2010: Travelers’ info leaked
  11. May 04, 2010: Bank dupes duped
  12. Mar 01, 2010: Data of medical applicants leaked
  13. Feb 27, 2010: Tax papers of civil servants leaked
  14. Feb 26, 2010: Data of candidates 2006 election leaked
  15. Feb 25, 2010: Student info often leaked
  16. Feb 25, 2010: Data of hundreds of politicians leaked
  17. Feb 08, 2010: Notary puts clients passports online
  18. Feb 05, 2010: City Hall leaks e-mail addresses
  19. Feb 05, 2010: Secret service leaks employee mail addresses
  20. Jan 29, 2010: University of Utrecht leaks pay slips
  21. Jan 27, 2010: Dpt of Public Works leaks subscribers’ data
  22. Dec 17, 2009: Bank employee loses USB stick
  23. Nov 24, 2009: Social services leak e-mail addresses
  24. Sep 08, 2009: Government leaks credit card numbers
  25. Aug 12, 2009: Press agency leaks contact database
  26. June 23, 2009: Stayokay hotel bookings leaked
  27. June 17, 2009: Emergency info leaked online
  28. May 30, 2009: Two telco’s hand over sms contents to intelligence service
  29. May 08, 2009: Hoster Vuurwerk/Tele2 leaks e-mail addresses
  30. May 04, 2009: Newspaper leaks e-mail addresses
  31. Apr 29, 2009: City police leaks e-mail addresses
  32. Apr 06, 2009: Dispute Committee website reveals all
  33. Mar 31, 2009: Magazine leaks new subscribers
  34. Mar 30, 2009: Bike locker codes up for grabs
  35. Mar 24, 2009: Police site leaks speeding pictures
  36. Feb 10, 2009: Free condom site leaks customer data
  37. Jan 02, 2009: Pathe leaks online reservations
  38. Dec 01, 2008: Lotto leaks 1 million data
  39. Nov 25, 2008: Hard disk owners don’t wipe
  40. Oct 22, 2008: Military official loses USB stick
  41. Sep 22, 2008: Provinciale Staten Limburg
  42. Jul 17, 2008: Fortis MeesPierson Bank
  43. Jul 15, 2008: T-Mobile
  44. Jun 06, 2008: Indonesian Embassy
  45. May 06, 2008: Various (Crimeserver)
  46. Apr 07, 2008: National Pop Institute
  47. Jan 18, 2008: Reader’s Digest (magazine)
  48. Jan 14, 2008: Planet (ISP)
  49. Dec 14, 2007: CZ (health insurance)
  50. Dec 12, 2007: Vecozo (health insurance)
  51. Nov 20, 2007: Dpt. of Defense
Aug 16, 2010 TV show leaks data 13.000
what: Breekijzer is a by now defunct tv show to which people could send their complaints about companies, institutes and government bodies; the program would select some of these complaints and attempt to help the complainers. All (or most) of the complaints that Breekijzer received are stored in an online database; once you had logged in to see your own complaint, you could easily see all other complaints by merely changing the complaint number. Thus, 13.000 complaints were retrievable. All complaints listed name, address, telephone number, e-mail address, and gender. Often, the complaint itself has a private nature.
response: Pieter Storms – the owner of the TV show – did not respond to warnings. In the end, his ISP took measures to prevent further leaking.
references: Bits of Freedom, August 16, 2010
July 13, 2010 City leaks bank numbers unknown
what: Private data of people who have received a building license in Groningen, is visible via the city’s website. (One needs to apply for such a license when expanding one’s house or building an addendum to it.) Data disclosed are names, addresses, bank numbers, signatures and telephone numbers. In April of this year, the city removed the general index to all approved licenses when warned that it was thus leaking data, and considered the matter done. As it turns out, simply by increasing or decreasing the file number in a url.
response: None, as of yet..
references: Oog.tv, July 13, 2010
July 13, 2010 Tour operator leaks bookings unknown
what: Dutch tour operator Corendon gives people who’ve booked via their site a client number and a booking number. Turns out that these are handed out sequentially, so by just increasing or decreasing the number in the query, one can see other people’s data. Visible were: destination, date of departure, return date, flight information, amount paid, amout left to be paid, plus information about all people booked: names, addresses, telephone number, date of birth.
response: Jeroen van der Gun discovered the leak and warned Corendon on June 28. On July 7, Corendon changed the login-procedure for clients, who now also have to enter an e-mail addreess to see their booking.
references: Website Jeroen van der Dun, July 13, 2010
Bits of Freedom, July 13, 2010
July 10, 2010 10% of hospital personnel fell for phishing test 1423
what: Erasmus MC, the biggest academic hospital in The Netherlands, puts quite some effort in security awareness and data hygiene. (They participated in my September 2006 Electronic Patient Files test, and did relatively well; also, they used the results of my test to again stress the need for data hygiene among personnel.) In June, the hospital tested its own personnel by sending a hospital-wide phishing mail, asking addressees to please give their
account name and password. 1423 people complied – slightly more than 10% of all Erasmus MC personnel.
response: The board summed up the results of their test in a new mail to all personnel, and started a new campaign for data hygiene awareness.
references: Mail of Erasmus MC to personnel, June 2010
Security.nl, July 12, 2010
July 06, 2010 Psychiatric/criminal files dumped on street unknown
what: DPD, the District Psychiatric Service in The Hague – which keeps the psychiatric and criminal records of (former) detainees, dumped a box full of such records on the street, together with ‘other garbage’. A passerby found the box and reported the matter to the Dutch privacy authority (CPB). This was in January 2010. The CPB has now reported about the case and discovered that for years, all medical and criminal files of detainees were stored in an unprotected cellar.
response: The CPB reminded the Dpt of Justice and DPD that records like these are highly sensitive data and merit strong protection.
references: CPB report, June 2010
Security.nl, July 6, 2010
July 05, 2010 E-mail addresses disclosed 375
what: NLKabel – a field organization for cable providers – sent its daily newsletter to subscribers. The addresses of 375 of them ended up in the e-mail itself.
response: NLKabel confirmed its mistake.
references: Bits of Freedom, 5 juli 2010
June 06, 2010 City sends wrong file 2800
what: After requesting a directory of the services of city X, a citizen of that city was sent not that directory, but a file containing the names of the circa 2800 people living in that city who may not renew their passport or who have to hand in their passport. Reasons why people end up on this so-called Alert List: they’ve lost their passport too often (and are suspected of fraud or trafficking in passports); they owe the government money (taxes, fines, alimony); they’ve lost Dutch nationality; they’re bankrupt; or they’re involved with criminal offenses. Every city receives an Alert List from the Dpt. of Internal Affairs once per month.
response: The Dpt. of Internal Affairs will remind all city authorities to treat the Alert List as sensitive data, and considers to send it in the form of protected digital data in the future. Currently, the ALert List is sent in paper form.
references: Dpt. of Internal Affairs, June 6, 2010
May 28, 2010 Sensitive DoJ data published unknown
what: Various web sites have published ‘documents containing sensitive data’ from the Department of Justice’s national penitentiary task force (Landelijke Bijzondere Bijstandseenheid), who are called in when there are problems in jails. The nature and the scope of the leak is unclear, but it seems that the documents contain information about the task force’s organisation, including phone numbers.
response: The DoJ has asked the owners of the web sites concerned to remove the information and has taken ‘measures to minimalise the risk for its employees’.
references: Nu.nl, May 28, 2010
May 19, 2010 75% of NL companies have leaked data 168,000
what: A study by Accenture and the Ponemon Institute shows that 75 percent of Dutch companies have had a data breach in which they lost employee, client or customer data. That’s more than the global percentage, which stands at 58 percent.
response:
references: Security.nl, May 19, 2010
May 18, 2010 Travellers’ info leaked 168,000
what: The web site Ervaar het OV (Experience Public Transport) is a government site promoting the new public transport chip card (OV card). Visitors can order a personal OV card, get reduction vouchers and special offers via the site. For months, the customers database could be accessed (and changed) via a simple MySQL inject; the data of the 168,000 people who have registered via the site were available. Their data included name, address, date of birth, telephone number and e-mail address of these people, and possibly their passport number and payment method. Hacker ins3ct3d proved the leak by retrieving all the data of a journalist.
response: After having been informed of the leak, the government closed the site. The OV chip card is mandatory in some regions in NL, and will be rolled out in others in the coming months. The SP (a political party) will motion for a freeze: this is the umpteeth vulnerability/leak with regard to the OV chip card.
references: Webwereld, May 18, 2010
May 04, 2010 Bank dupes duped several dozen
what: Many people who were duped by DSB Bank going broke, joined the foundation Hypotheekleed (‘mortgage pains’). One of them suddenly started to receive e-mails containing the names, data and mortgage information of other members. Apparently, this happened because one of the employees of the foundation entered the wrong e-mail address.
response: Hypotheekleed admitted the error and promised to be more careful in the future.
references: De Telegraaf, May 4, 2010
Mar 01, 2010 Data of medical applicants leaked unknown
what: The data of people who applied for a specialization as general practitioner after having finished their primary medical education, leaked via the website Huisartsenopleiding. Appending a first name to a specific url was sufficient to see all of the applicant data: address, date of birth, SSN, medical ID number, education, diplomas, previous jobs, etc., if an applicant with that first name existed.
response: Huisartsenopleiding was rather shocked and immediately modified their website.
references: Bits of Freedom, March 1, 2010
Feb 27, 2010 Tax papers of civil servants leaked several hundreds
what: The 2009 tax reports of all civil servants, city council members and assistants of the municipalty Woudenburg/Scherpenzeel were leaked; newspaper De Telegraaf received a paper copy of all papers. The papers include name, address, SSN, salaries, other income, bank savings, deductions etc of everybody working for the municipality and the city counci, from the mayor to the members of the fire brigade. It’s unclear how the data were leaked and why they were sent to the press.
response: City Hall has asked the police to investigate the matter.
references: De Telegraaf, Feb. 27, 2010
Feb 26, 2010 Data of candidates 2006 election leaked several hundreds
what: Private information such as telephone numbers and home address of all candidates for the 2006 national election were leaked, including the address of prime minister Balkenende and several other members of the government. The data were leaked via open directories on the websites of the Zaandam and the Lith municipalities. (During the 2006 elections, many municipalities used the Nedap voting computers. The candidate lists were fed into the computers and apparently, Lith and Zaandam put this information in an unprotected directory.)
response: The open dirs were closed; Google’s cache still reveals the documents.
references: Webwereld, Feb. 26, 2010
Feb 25, 2010 Students info often leaked several thousands
what: The teachers union (Algemene Onderwijsbond) researched how often student information is accessible via Google. They found quite a lot: list of home addresses, student reports, progress reports, assessment reports. The union notified all the universities, faculties and training colleges that were at fault. It’s the second time that the Algemene Onderwijsbond embarked on such a student privacy scan.
response: Most colleges and faculties remedied the situation as best as they could.
references: AOB, Feb. 25, 2010
Feb 25, 2010 Data on hundreds of politicians leaked several hundreds
what: The addresses, telephone numbers, mobile phone numbers, home e-mail addresses and work e-mail addresses of hundreds of politicians (all members of the PvdA, the Dutch social democrats) and a number of their sponsors are out in the open. Although the list focuses on party members in the Amsterdam area, it also contains the data of the chair of the Dutch Parliament and several members of the European Parliament. Google has indexed the file.
response: A few hours after the news was published and the owners of the website were contacted, they managed to close the open directory.
references: Webwereld, Feb. 25, 2010
Feb 08, 2010 Notary puts clients passports online several hundreds
what: Veilingnotaris.nl tries to list all online real estate auctions. Apparently their site is badly protected: Google has indexed quite some client information, including passport copies, notary deeds, registry information etcetera. The published information concerned both recent and old auctions.
response: Internet Notaries, the owner of veilingnotaris.nl, denied all responsibility. ‘All similar agencies publish this kind of information’, they claim, ‘and besides, it’s the responsibility of the notary who’s doing the auction.’
references: GeenStijl, Feb. 08, 2010
Webwereld, Feb. 08, 2010
Feb 05, 2010 City Hall leaks e-mail addresses 500
what: A civil servent sent a questionnaire to 500 citizens in Tilburg, and managed to put all e-mail addresses in the CC field instead of the BCC field.
response: Some citizens weren’t pleased at all and refused to cooperate with the questionnaire.
references: Omroep Brabant, Feb. 05, 2010
Feb 05, 2010 Secret Service leaks employee mail addresses 4
what: In a document published by the AIVD (Dutch Secret Service) about digital espionage, the meta-data reveal the e-mail addresses of four employees. From the meta-data of another document, search engine expert Henk van Ess was able to infer part of the secret service’s internal hierarchy.
response: The AIVD admitted that they had inadvertently released this information, and have done so before; they will investigate how to stop doing this.
references: Webwereld, Feb. 05, 2010
Jan 29, 2010 University of Utrecht leaks pay slips unknown
what: Randstad HR Solutions, which apparently takes care of the pay roll information of the employees of the University of Utrecht, made an error. Employees did not only receive their own January pay slip and yearly overviews, but also slips and overviews intended for others. Randstad HR Solutions stated that the error was made by TNT Cendris, who delivered the slips and overviews.
response: The University sent a mail to all employees informing them of the error, asked them to destroy the envelope, and will send out new pay slips and yearly overviews. Almost two weeks later, the University stated that the extra slips had only been sent to the administration office and that no data had been leaked.
references: Security.nl, Jan. 29, 2010
Ublad Online, Feb. 9, 2010
Jan 27, 2010 Dpt of Public Works leaks subscribers’ data unknown
what: The Dpt of Public Works (Rijkswaterstaat) installed a new profile system on their web site that subscribers to their newsletter had to use. When logging in to the system, subscribers were presented with the personal data of the previous visitor. the leaked data included first name, last name, e-mail address. Whether one could also change the presented data is unclear.
response: The Dpt. took the system down and fixed the problem.
references: Webwereld, Jan. 27, 2010
Dec 17, 2009 Bank employee loses USB stick 3000
what: An employee of the Rabobank lost his USB stick, which held the data of 3000 customers. Apart from the personal information of each of those customers, the stick contained information about the various forms of investments these customers had engaged in, plus the grand sum of their total investments. Somebody found the USB stick and gave it to a regional newspaper, which then contacted the bank.
response: The bank was ‘surprised’, which indicated that the emplyee hadn’t reported the USB stick as missing. The bank said it will point out safety measures to its employees.
references: Security.nl, Dec. 17, 2009
Nu.nl, Dec. 17, 2009
Tweakers.net, Dec. 17, 2009
Nov 24 , 2009 Social services leak e-mail addresses 1151
what: UWV Harderwijk en Ommen sent an e-mail to 1151 jobless people and made the classic mistake of putting everybody in the To: field, instead of the BCC: field.
response: The UWV will enhance checks: in the future, all such mails will be inpected by a cllegue before sending them off.
references: De Stentor, Nov. 24, 2009
Sep 08, 2009 Government leaks credit card numbers 2
what: When releasing the declaration files of members of the government, the dpt. of Justice failed to properly blind the number and expiry date of the credit cards of the minister of Health and the minister of Justice.
response: Both ministers had to be issued new credit cards.
references: Nu.nl, Sep 8, 2009
GeenStijl, Sep 8, 2009
Aug 12, 2009 Press agency leaks contact database thousands
what: Press agency GPD managed to allow Google to index its contact database stored on their intranet, thus releasing phone numbers of thousands of well-known Dutch people. Among those whose contact information was published, were the Dutch prime minister; politician Geert Wilders, lawyer Gerard Spong and tv host Felix Meurders.
response: The GPD blamed the company maintaining their intranet.
references: Tweakers, Aug, 12, 2009
NRC Handelsblad, Aug 12, 2009
June 23, 2009 Stayokay hotel bookings leaked unknown
what: By lowering the number in the url where your booking is accessible, one could retrieve other people’s hotel bookings. Name, address and dates of stay were visible.
response: Stayokay fixed their web site.
references: Tweakers.net, June 23, 2009
June 17, 2009 Emergency info leaked online unknown
what: The information that emergency services such as ambulances send to one another, was transmitted unencrypted. Because the C2000 system in Brabant (a Dutch province) didn’t have full coverage, emergency services used P2000 instead, which sends unanonymized data: name, address, ailment etc. In one case, information was put online containing the information of a suicide attempt gone wrong.
response: Brabant will get more extensive C2000 coverage.
references: Security.nl, June 17, 2009
May 30, 2009 Two telco’s hand over sms contents to intelligence unknown
what: Telco’s Vodafone and T-Mobile decided it was to much hassle to separate traffic data from content. When the Dutch intelligence service AIVD asked them for traffic data of sms messages, they delivered the content as well. The practice continued even after Vodafone and T-Mobile were informed of their error.
response: Both companies claimed that it was impossible to separate traffic data from content. When competitor KPN announced it had no problem doing so, Vodafone and T-Mobile promised to change their policy. In Jan 2010, this ‘mistake’ earned both telco’s a Big Brother Award nomination.
references: NRC Handelsblad, May 30, 2009
Tweakers.net, May 30, 2009
May 08, 2009 Hoster Vuurwerk/Tele2 leaks e-mail addresses 114.093 subscribers
what: Due to a patch in Majordomo that was never installed, a simple ‘which @’ command sent by mail resulted in a list of all 114.093 people who were subscribed to any of Vuurwerk’s mailing lists.
response: The hoster apalogized and fixed the error.
references: Webwereld, May 8, 2009
May 04, 2009 Newspaper leaks e-mail addresses 32.781 people
what: A .txt file containing 32.781 e-mail addresses of people who are subscribed to the electronic newsletter of Het Dagblad van het Noorden was openly on the newspaper’s website. The list has leaked to the net and has been indexed by dearch enigines.
response: The newspaper apologized.
references: Fok.nl, May 4, 2009
Nu.nl, May 4, 2009
Apr 29, 2009 City police leaks e-mail addresses 650 people
what: When attempting to manually send a newsletter, informing people in Delft of a plan to enlist citizens in the solving of crimes, a police spokeswoman accidentally put the e-mail addresses of 650 people in the cc-field instead of the bcc-field.
response: The person who made the mistake, offered her excuse.
references: Webwereld, April 29, 2009
Apr 6, 2009 Dispute Committee leaks all ca. 40.000 claimants
what: The website of the Dispute Committee – a governmental body that resolves disputes between citizens and corporations – showed to have been badly protected for more than a year. People who had been given a case number and a login, could access all other cases on the website. Reporter Jeroen Wollaars (who had a login because he was involved in a case at the Dispute Committee) could retrieve documents going as far back as 2005, and could access other people’s claims, company counter claims, pleas, bills, financial reports, and other sensitive data. The Committee deals with more than 10.000 claims per year; all these documents were retrievable.
response: The Dispute Committee closed their website, stating they would only re-open it after a thorough security check. A month later, the website was still closed.
references: NOS, April 6, 2009
Mar 31, 2009 Magazine leaks new subscribers 80-90 subscribers
what: Bright, a magazine about technology and internet, had an error on the site that leaked the personal data – name, home address, bank account, mobile number – of people who had recently subscribed through the website. Google had already indexed the data, as security expert and recent subscriber Geert Booster discovered.
response: The site was fixed, Google was asked to flush its cache.
references: Webwereld, Mar 31, 2009
Bright, Mar 31, 2009
Mar 30, 2009 Bike locker codes up for grabs 50.000 customers
what: The personal details – name, home address, bank account, card number and unlock code – of the 50.000 people who have a subscription with OV-fiets, where they rent a bike locker at train stations, were available through the OV-fiets website. To retrieve personal data from the website, no password was needed, only a ‘personal’ number. By typing in subsequent numbers, other people’s data were freely available.
response: The site was fixed after security expert and OV-fiets customer Mendel Mobach alerted OV-fiers.
references: Webwereld, Mar 30, 2009
Bright, Mar 30, 2009
Mar 24, 2009 Police site leaks speeding pictures unknown
what: People who have received a speeding ticket can check the pictures used as evidence at Mijnpolitiebureau.nl. Unfortunately, the site allowed browsing through other pictures which showed cars, license plate, date and location.
response: The site was fixed.
references: De Telegraaf, Mar 24, 2009
Tweakers, Mar 24, 2009
Feb 2, 2009 Condom site leaks customer data 10.000 customers
what: The website GratisCondoom.com, that mails free condoms to young people at their request, sends customers a mail with a client number. By changing the number, one could access other clients and see all their data, including name, address, zip code and city. More than 10.0000 customers were affected. What’s especially painful is that the service is intended for youngsters who are shy to buy condoms in a shop.
response: The site was adjusted immediately after a customer notified them of the faulty security.
references: NU.nl, Feb 10, 2009
Dec 01, 2008 Lotto leaks data 1 million people
what: The Dutch Lotto bought the addresses of subscribers toveronica Magazine and sent them a letter with a special action code to be used on a web site. Due to faulty security, all names and addresses were retrievable, sorted by postal code. Subscribers to the magazine didn’t even know that their data had been sold.
response: Lotto adjusted the site after having been informed about the error.
references: Webwereld, Dec 1, 2008
jan 2, 2009 Pathe leaks online reservations all online customers
what: A publicly accessible computer in a an Amsterdam Pathe cinema allowed browsing of the system via the trash can. People could access a list containg information of all people who had made internet reservations in 208.
response: Pathe did not comment.
references: Bright, Jan 2, 2009
Nov 25, 2008 Half of discarded hard disks contain private data unknown
what: An investigation by Surfnet shows that half of all discarded hard disks contain confidential data. The organization bought secondhand hard disks in computer shops. Many disks turned out to contain private and confidential data. Some disks had clearly belonged to businesses and organizations. Amongst others, Surfnet found a complete database of a health organization, internal data from the IT department of an airplane company, and confidential data belonging to private persons.
response: The advice to properly wipe hard disks before reselling them.
references: Surfnet press release, Nov 25, 2008
Surfnet report, Nov 25, 2008
Oct 26, 2008 Militairy official loses USB stick unknown
what: A military official lost a USB stick, which was later found by two guys from The Hague, who subsequently tried to blackmail him and threatened to report their findings to the press. The official finally reported his problems to the Military Police, who set up a fake meeting with the blackmailers and arrested them.
response: The Military Police is investigating whether the official had a right to transfer data to a USB stick.
references: Security.nl, Oct 22, 2008
Sept 22, 2008 Provinciale Staten Limburg unknown
what: Due to a mail server configuration error, a member of one political party within the Provincial States of Limburg received the internal mail of another political party. Due to the often “explosive content” of those mails, Pierre Diederen (SP). the recipient, believed that somebody from within the CDA was actually leaking these e-mails. After two months, he warned the CDA.
response: Diederen was taken off the CDA mailing list.
references: Tweakers, Sept 22, 2008
Techzine, Sept 22, 2008
July 17, 2008 Fortis MeesPierson Bank unknown
what: Fortis MeesPierson Bank, who accepts only clients worth more than 1 million euro, had an internal document in an open directory. The file contained data about Fortis MeesPierson’s richest clients: name, address, amount of savings, their investments, mortgage etc. The error was discovered by journalists from Z24.
response: Z24 contacted Fortis, who removed the document.
references: Z24.nl, July 17, 2008
Security.nl, July 18, 2008
July 15, 2008 T-Mobile 20 people
what: A T-Mobile shop sent out a mail to 20 customers informing them that their reservation for an iPhone had been duly processed. The shop put all the addressees in the cc-field, allowing all of them to see one another’s name.
response: The main T-Mobile office sent a warning to all local shops, reminding them of the privacy procedures.
references: Webwereld, July 15, 2008
June 6, 2008 Indonesian Embassy 25,000 people
what: The Indonesian Embassy had a vulnerability on their website visa4indonesia.nl, allowing visitors to see the data (name, address, travel information, passport numbers) of 25.000 Dutch people who had applied online for an Indonesian visa since 2007. The error was discovered by Orne Brocaar, while he himself applied for a visa.
response: Ornaar contacted the Embassy, who then reputedly fixed the error. There was some concern that Google might meanwhile have crawled the documents.
references: Webwereld, June 6, 2008
May 6, 2008 Various (Crimeserver) unknown
what: Security firm Finjan discovered a web server controlled by criminals, containing more than 1.4 Gigabyte of business and personal data stolen from infected PCs. The data consisted of 5,388 unique log files. The compromised data came from all around the world and contained information from individuals, businesses, as well as renowned organizations, including healthcare providers.
The server contained among others 571 log files from the US, 621 from Germany, 322 from France, 308 from India, 232 from Great Britain, 150 from Spain, 86 from Canada, 58 from Italy, 46 from the Netherlands, and 1,037 from Turkey.
The web server contained malware that stole information from infected PC’s and then stored that data on the web server, ‘without any access restrictions or encryption, the data were freely available for anyone on the web, including criminal elements.’ Finjan found compromised patient data, bank customer data, business-related email communications and Outlook accounts containing email communication.
response: Finjan contacted at least 40 companies whose computers had been compromised.
references: Finjan, May 6, 2008
Webwereld, May 7, 2008
April 7, 2008 National Pop Institute unknown
what: The Dutch National Pop Institute managed to briefly publish telephone numbers, home addresses and mail adresses of Dutch pop musicians, managers, music industry VIPs and pop music journalists on its website. Amongst those affected are a number of famous people.
response: The data was removed. On its website, the NPI did not mention the incident.
references: Nu.nl, 8 april 2008
Jan 18, 2008 Reader’s Digest (magazine) 47.000 addressees
what: Reader’s Digest has moved its ‘You might become a winner’ direct mails over to e-mail, and spammed 46.962 people. The mail contained a link to ‘your personal data’ and ‘your unique code’. By changing the code in the url, the name and full postal address of all 47.000 spam recipients could be seen.
response: Reader’s Digest CEO Margit de Koning said she was upset and would investigate the matter. She did not close the faulty website.
references: De Telegraaf, 18 jan 2008
Jan 14, 2008 Planet (ISP) 2,5 million customers
what: One of the sysadmins of Planet, a Dutch ISP, stored a backup of all client data in a user account, as the result of a typing error (the user’s account and the sysadmin’s differed by only one letter). The user warned Planet two weeks ago, but Planet did not take any action. The file contains the user names, aliasses, IP addresses, encrypted passwords and used services of all private and business Planet accounts. Using hashmaster, the user could decrypt all passwords.
response: Planet ingored the matter until the story spread. It then asked the user to delete the file. Planet claims that it will change its back-up policy.
references: Tweakers, 14 jan 2008
Nu.nl, 14 jan 2008
Security.nl, 14 jan 2008
Dec 14, 2007 CZ (health insurance) 55.000 people
what: CZ, a health insurance company, was informed that through sloppy security, the names, address, telephone number, social security number, bank information, date of birth and type of insurance of prospective clients who had filled in a web form for a quotation, were out in the open.
response: CZ didn’t do anything. But when the news hit the media five days after they were informed, they closed that part of their web site and apologised.
references: AD, 14 dec 2007
Webwereld, 14 dec 2007
Dec 12, 2007 Vecozo (health insurance) almost all insured people
what: Vecozo, an organisation set up by health insurance companies, has created a password and certificate protected web site where professionals can check whether patients are indeed insured. The newspaper Trouw discovered that currently, 80.000 people can access those data: not only health professionals, but also nurses, home carers and taxi drivers. In other words: 1 out of every 200 in NL has access to the site. One can access name, date of birth, address and social security number of those insured. It’s possible to find the addresses of well-known people and of people who have secret addresses (for instance, battered women who’ve fled their husbands).
response: Vecozo declared that one could not access telephone numbers and refrained from all other comments.
references: Trouw, 12 dec 2007
Webwereld, 12 dec 2007
Nov 20, 2007 Ministry of Defense several thousands marines
what: A 340 page list with names, home addresses, functions and ranks of marine personnel was inadvertedly put on a Defense web site. Among them were the names and addresses of marines working for defense intelligence. The list was an internal document and not meant for publication.
response: Defense removed the list after two days, but it lingered on several Defense operated servers for several days. After an assessment of the problem by prof. Chris Verhoef, the department finally took down the website in mid December.
references: AD, 20 nov 2007
Webwereld, 21 nov 2007
Automatiseringsgids, 6 december 2007