Sensitive personal, financial, and medical information belonging to people struggling with debts has been exposed after a major security lapse involving Dutch debt administrators. It failed to secure expired web domains, allowing a hacker to access confidential emails.
The leak stems from poorly managed old web and email domains, as discovered by ethical hacker Wesley Neelen and reported to Dutch news outlet RTL Nieuws.
In recent years, numerous administrators have merged or have been acquired by other organizations. The administrators are responsible for securing their former websites and email inboxes to prevent misuse.
However, some of them neglect to do this because they’re unwilling to pay the associated costs. Instead, they let their domain name expire. Anyone willing to pay a few euros can then register the domain name and gain access to all incoming emails to the previously registered email address.
Although these email addresses were no longer in use, they remained functional and continued to receive new emails from clients and customers. Neelen says he was able to register and take over the website and the associated email address just like that.
“Technically, it is very easy. I was surprised that so many emails were still coming in, even though the inbox hadn’t been used for a while,” he told RTL Nieuws.
In just a few weeks, Neelen gained access to 258 financial files of people with debts. After that, he closed the mailbox.
Due to the leak, both sensitive and personal information was available to malicious people, including full names, home addresses, phone numbers, bank account numbers, and information about their contracts and debts.
On top of that, documents from the tax authorities, medical history, payslips, unpaid bills for health insurance companies, reminders and penalty notices from collection agencies, and bills from the telecom provider could be accessed.
Privacy advocates have expressed concerns about the consequences for those affected. Individuals dealing with debt often face financial hardships, legal challenges, and social stigma. The exposure of such information could increase the risk of identity theft, fraud, or further emotional distress.
According to cybersecurity experts, the incident highlights a serious oversight.
Aegis, the trade association for debt administrators, will warn its members about potential misuse of this data breach.
“Given the sensitive nature of the information held by administrators and the vulnerability of many of our clients, we must be especially vigilant about this,” a spokesperson said in a response.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked