2021 will go down in the history books as one of the most turbulent years ever for cybersecurity and information security. One data breach was barely over when the next breach presented itself. Many companies were confronted with this in the past year.
In this article, we look at the 10 largest data breaches of 2021. We limit ourselves to cases where the personal data of Dutch people have been stolen. A data breach such as that at T-Mobile, in which data from more than 54 million American customers was stolen, is not included in our list.
#1 GGD – lively trade in personal data
The most notorious data breach of 2021 is without a doubt the leak at the GGD. It was discovered that thousands of employees had access to the personal and medical data of everyone who had been tested for corona, or who was part of a source and contact investigation.
Then you have to think of first and last names, residential addresses, contact details, citizen service numbers (BSN), medical conditions and medication use. This data was stored in two IT systems and sold to the highest bidder through channels such as Telegram, Snapchat and Wickr.
To make matters worse: the first reports that the registration system was not in order came in the summer of 2020. Employees confirmed that the GGD’s top management deliberately decided to ignore these warnings. André Rouvoet, chairman of the national umbrella organization GGD GHOR, openly apologized for the course of events.
The outgoing Minister of Health Hugo de Jonge also went through the dust in the House of Representatives. He admitted that he should have been more strict about the security of personal data. As icing on the cake, the Dutch Data Protection Authority concluded that the security of the data left something to be desired.
After the media wrote about the leak, the minister had additional security measures taken. The GGD largely switched off the print and export functionality, limited the search options in the computer systems, had more internal checks and external audits carried out to prevent abuse and had the VOG administration (Declaration on Behavior) put in order.
According to official figures, the personal data of 1,250 people have been sold. In theory, more than 6.5 million Dutch people could have been the victims of bad security practices. The ICAM Foundation is therefore now threatened with a claim of billions. The foundation is demanding compensation of EUR 500 for anyone named in the GGD’s systems, and EUR 1,500 for the victims whose data is known to have been sold.
#2 Ticketcounter – data breach due to human error
A bell may not immediately ring when you hear the name Ticketcounter. Nevertheless, there is a good chance that you have been helped regularly by this company. Ticketcounter provides the reservation system for zoos, amusement parks, museums, theatres and retailers. For example, if you buy an entrance ticket for Burgers’ Zoo online, Ticketcounter will process your reservation details.
At the beginning of March, Ticketcounter was confronted with a data breach. The leak was caused by human error: an employee had accidentally placed the customer data of one and a half to two million Dutch people on an unsecured server.
Without realizing this, hackers and cybercriminals had access for months to privacy-sensitive personal data such as names, addresses, dates of birth, telephone numbers, e-mail addresses and bank account numbers.
An unknown person stole this data and threatened to sell the data on the dark web. He demanded seven bitcoins in ransom from Ticketcounter, which at the time had a value of 285,000 euros. General manager Sjoerd Bakker said from the outset that he had no intention of paying.
After the digital break-in, the Dutch Data Protection Authority sent a letter to 46 companies, in which the supervisor pointed out their obligation to report. Despite this, few entrepreneurs actually took action, because they did not know exactly who to inform. Ticketcounter then decided, in consultation with the privacy watchdog, to inform affected consumers themselves about the data breach.
#3 RDC – largest data breach in Dutch history
Due to a data breach at RDC, the personal data of millions of Dutch car owners was stolen. RDC is an ICT service provider for car garage companies that automates maintenance processes. For example, if someone has to take their car to the garage for a general periodic inspection (MOT), this person will automatically receive a message.
RDC not only processes the personal data of customers but also vehicle data such as the license plate number, type of car and maintenance data. This information is extremely interesting for criminals: it allows them to see at a glance where to find expensive cars.
Cybersecurity company Fox-IT discovered that the data came from RDC’s CaRe-mail. How the hackers managed to access this tool, the security guards never managed to figure out due to issues with various log files. It is estimated that the perpetrators stole the personal and vehicle data of 7.3 million Dutch people. If that number is correct, then this is the largest data breach we have ever seen in our country.
Director Jan-Willem Gefken said he had learned important lessons from the incident. “If we have learned one thing in the past period, it is that you can think that your data and systems are safe, but you can never be one hundred per cent sure.
It is a societal challenge to ensure that data is and remains safe with companies. We do our part by sharing the lessons learned with our customers so that they can benefit from it,” said the CEO.
#4 Allekabels.nl – leak is ‘extremely interesting and valuable’ for hackers
We saw another data breach with millions of Dutch victims at Allekabels.nl. Initially, the online retailer wrote in an email to customers that an employee who worked from home was responsible for the leak. According to the company, he had collected the data of about 5,000 customers. They all received a message about the leak.
In reality, the data breach turned out to be much bigger than we had imagined. A hacker named Chippy1337 told RTL Nieuws that he had installed a backdoor in August 2020. The hacker managed to get hold of the private data and passwords of 3.6 million Dutch people through this back door: 2.6 million directly from the Allekabels.nl database, the remaining million via sales platforms such as Bol.com and Amazon.nl. No e-mail addresses or passwords were stolen from the latter group.
At the end of January, the attacker offered the full dataset on a hacker forum on the dark web. The data has reportedly been sold for more than 15,000 euros. “The Allekabels leak is extremely interesting and valuable for cybercriminals because of all the passwords and sensitive information,” said ethical hacker Ricky Gevers.
#5 Homerun – personal data (tens) of thousands of applicants seen by hacker
The Amsterdam software company Homerun develops application forms for companies that have open vacancies. Candidates fill in this form, so that their personal data, CVs and motivation letters end up in the Homerun database.
A vulnerability in the Apache webserver software allowed hackers to access the customer data Homerun kept on the Amazon Web Services (AWS) cloud server. As a result, privacy-sensitive data of thousands – possibly even tens of thousands – of job applicants has been viewed.
Homerun confirmed to VPNGids.nl that the attackers had copied customer data. In collaboration with cybersecurity company Northwave, the software company was able to conclude ‘an agreement with the attackers. As part of that, all stolen data was erased. The chance that the stolen data ends up on a hacker forum on the dark web is therefore excluded.
Additional research by media showed that various companies had amply exceeded the retention period of the personal data of applicants. Some parties kept this data for as long as four to five years after the application procedure was completed.
The usual retention period for such data is four weeks. The Correspondent, Tony’s Chocolonely, Amac, Blendle and Prowise acknowledged that mistakes had been made and promised to improve.
#6 Blue Sky Group – pension data of tens of thousands of former KLM employees leaked
In August, pension manager Blue Sky Group had to deal with a data breach. Because an employee pressed a malicious link in a phishing email, hackers managed to gain access to his inbox. They then penetrated several computer systems and had access to the personal data of tens of thousands of retired KLM employees.
In addition to names and contact details, policy and bank account numbers and information about accrued pension amounts may have been stolen during the hack. According to the pension administrator, no data has been leaked of employees who are currently accruing pension. Immediately after the leak was discovered, the company had it sealed and took additional measures to prevent a recurrence in the future.
In addition to KLM, Blue Sky Group also manages the pensions of Philips and SNS Reaal, among others. Philips is said to have obtained the data of approximately 500 retired employees who live abroad.
#7 Testcoronanu – database was wide open
It was not only the GGD that went wrong with the protection of personal data. At Testcoronanu, a company that took part in the Testenvoorjereis.nl initiative, the problems were of a completely different order. Research by RTL Nieuws showed that it was childishly easy to manipulate the results of a corona test.
How? By entering two extra lines of code into your web browser. After that, you filled in the desired details and you automatically received a valid corona ticket in the CoronaCheck app. In the same way, you could also create a European corona certificate, or change a positive result into a negative one.
That was not the only shortcoming at Testcoronanu. The leak allowed everyone to view the private and personal data of more than 60,000 Dutch people. This was possible because the management environment of Google’s Firestore database system was not protected by the corona test company.
As a result, the door to privacy-sensitive data was wide open. Names, residential addresses, e-mail addresses, telephone numbers, dates of birth, passport numbers and medical data were there for the taking.
Frederik Zuiderveen Borgesius, professor of ICT & Law at Radboud University Nijmegen, called the data breach ‘very shocking’.
“It doesn’t get much more sensitive than this. This is exactly what medical privacy is for: that people dare to get tested because they need to be able to trust that their data is safe. You notice that this is not yet sufficiently alive among parties that have recently entered the testing industry en masse, and that is why things are now going so wrong.”
#8 ROC Mondriaan – privacy-sensitive student data ends up on the dark web
In August, ROC Mondriaan was startled by a data breach. Hackers were able to penetrate a number of physical servers with the help of ransomware and obtain confidential and privacy-sensitive information.
Further investigation revealed that the attackers managed to steal personal data from teachers and students. They also had access to emails sent to parents, class lists, complaint handling forms, and school financial records and business protocols.
Outgoing Minister of Education, Culture and Science Ingrid van Engelshoven wrote to the House of Representatives that the attackers demanded four million euros in ransom from the school community. Hans Schutte, president of the Executive Board, confirmed this to the media. He also said that the educational institution has not paid the ransom. The perpetrators then placed the stolen information on the dark web.
According to the school, it involved a ‘large amount of data. Students were urged not to search for their data themselves because the data could be infected with malware.
“Opening files can harm your device,” the school board said. Students were advised to be aware of phishing emails and to change their passwords for other websites and online services.
ROC Mondriaan was not the only educational institution that had its hands full with a data breach last year. The same happened to Arnhem-Nijmegen University of Applied Sciences (HAN), Hanze University Groningen and the University of Applied Sciences and the University of Amsterdam (AUAS and UvA).
#9 Raven Fishing – personal data of 200,000 customers for sale for $400
Raven Hengelsport is one of the largest suppliers of fishing equipment in the Netherlands. The angling chain has branches in Almelo, Lelystad, Rijen and Steenwijk. In addition to the four branches, the fisherman’s shop also has a webshop where customers can go for their fishing articles. In November 2020, the chain’s web store was given a facelift.
Something went wrong during the transition from the old to the new webshop. A database with customer data from around 2018 accidentally turned out to be accessible to everyone. An unknown hacker saw his chance and collected the names, addresses, telephone numbers and e-mail addresses of about 200,000 customers. He offered this data for sale on a hacker forum for $400.
Due to a tip, Raven Hengelsport got wind of the data breach in March 2021. That same day, the dataset disappeared from the hacker forum. Chance? Who will say? Dennis de Jong, manager at the sports fishing chain, was relieved when he heard that there were no bank details and passwords between the data. “But this is for our customers, annoying as they may be a victim of phishing,” he said facing NU.nl. The leak has been reported to the Dutch Data Protection Authority and the victims have been informed about it.
#10 Ministry of Justice and Security – external employee goes out of bounds
Last summer, the personal data of 65,000 civil servants ended up in places where they did not belong. A former employee who was hired externally to perform quality checks on access services was found to have caused the data breach. He had, against the rules, copied an analysis tool and the associated data to his own work environment and two other government services.
Employees of the Public Prosecution Service, GGD GHOR, IT service providers and the employer of the hired worker had access to the name, organisation, place of birth, date of birth, nationality, the type of employment, ID or passport number, national card number, e-mail address and gender. of tens of thousands of officials.
Responsible outgoing minister Ferd Grapperhaus condemned the former employee’s working methods. “This information must always be treated with great care and that care has been trampled here.” The minister took the leak very seriously. He instructed the Integrity Office of the Judicial Institution Service (DJI), cybersecurity company Fox-IT and Audit Service Rijk (ADR) to get to the bottom of the matter.
Based on the results of the investigations, Minister Grapperhaus decided to tighten up the working arrangements and procedures for hiring external employees. In addition, he had the used analysis tool replaced by the Data Leakage Protection (DLP) tool. This is a tool that distinguishes between confidential and non-classified information and identifies its transport early.
Finally, Grapperhaus argued for additional training to make employees more aware of security risks and to increase their knowledge about secure digital working.
Conclusion: an accident is in a small corner
Data breaches are the order of the day. Name and address details, contact details, bank account numbers and other personal data are today the new gold among hackers and cybercriminals. They use confidential and privacy-sensitive data to create victims. If they find that too much trouble, they can always sell the stolen data to the highest bidder via hacker forums or the dark web.
What the above leaks show is that an accident is just around the corner. Human error, poorly thought-out access policies or lax security measures are in most cases the culprit of a data breach. The good news is that most causes can be treated.
There are several ways to control access to sensitive data, for example through Role-Based Access Control (RBAC). To put cybersecurity in order, risk analysis or a pen test form a good basis. These studies put the finger on the sore spot: they show where possible weaknesses lie and how they can be solved.
Human errors are persistent and more difficult to tackle. Security experts often say that the man is the weak link when it comes to cyber security and information security. An abbreviation that security experts use to address this issue is PEBKAC. That stands for ‘Problem Exists Between Keyboard And Chair’.
By regularly training employees, you make them aware of security risks and make your company or organization more digitally resilient against cyber attacks and other threats. This greatly reduces the chance of a data breach.
Catch up on more articles here
Follow us on Twitter here