Cyber Defense Advisors

Almost all citizens of city of Eindhoven have their personal data exposed

Graham CLULEY

May 24, 2024

Promo Protect all your devices, without slowing them down. Free 30-day trial

A data breach involving the Dutch city of Eindhoven left the personal information related to almost all of its citizens exposed.

As Eindhovens Dagblad reports, two files containing the personal data of 221,511 inhabitants of Eindhoven were accessible to unauthorised parties for a period of time last year.

Everyone who lives in the Netherlands has a citizen service number (known as a burgerservicenummer or BSN) – a unique registration number that is used when dealing with the Dutch government and official bodies.  It is effectively a social security number which is used as an identifier when paying taxes, receiving social security and healthcare.

As such, it is clearly not the kind of information that you would like to fall into the hands of unauthorised parties – such as identity thieves.

If a data breach occurs in the Netherlands, the Dutch data protection authority should be notified within 72 hours, and victims informed as soon as possible. However, in this breach’s case it appears that did not happen.

A spokesperson for the municipality of Eindhoven claimed that “very quick action” was taken after the discovery of the breach, and that affected residents were not informed of the breach because the risk of identity theft had been rated as “unlikely.”

Ultimately, details of the data breach only became public in recent days – many months after the breach occurred.

The municipality has emphasised that the data leak had been internal, and that the sensitive information has not been accessible to outsiders.

Although it’s good news if the data leak did not spill out to the outside world, what isn’t clear from the report is just how many internal employees at the municipality were able to access the sensitive data without authorisation.

Furthermore, it is not apparent what investigations might have taken place to explore what internal staff may have done with the breached data to which they had access.

Since last year, the municipality of Eindhoven has been the subject of stricter supervision by the Dutch data protection authority, concerned that personal data has not been handled with enough care following some 200 other breaches of varying size and severity.

Data breaches can have serious consequences for both municipalities and the individuals whose data is compromised. It is essential that municipalities take care to ensure that personal information is not unwittingly exposed, and that steps are taken to protect systems and data from unauthorised access.

Unlike with companies, members of the public have no choice but to entrust their personal information with municipalities in order to access essential services. Data breaches of public bodies violate this trust and expose sensitive information that could be used for malicious purposes by criminals.