Major data breach at youth services organisation could have been prevented
On Wednesday, a leading Dutch news outlet reported a major data breach at the Utrecht Youth Services Agency (now known as SAVE). Well over three thousand case files and two hundred voicemails and internal mails containing full details of vulnerable children were compromised. How? Through careless cancellation of a disused domain name when the organisation became SAVE. For industry insiders, it's a familiar story: the Dutch police suffered a very similar data breach two years ago. So how can it have happened again?
In 2015, the Utrecht Youth Services Agency changed its name to Samen Veilig Midden-Nederland ('Safe Together Central Netherlands', or SAVE for short). Three years after the name change, the website linked to the old name was shut down. In situations like that, the normal practice is to de-activate the old domain name, but retain it to prevent abuse. However, that didn't happen with SAVE. The registration (which could have been kept for maybe ten euros a year) was allowed to lapse. As a result, it became available for anyone to register at the end of its quarantine period.
Data leaked via old e-mail addresses
Automated processes at SAVE sent non-encrypted case files to various e-mail addresses, including some linked to the old domain name. Two whistle-blowers then re-registered the disused domain name, enabling them to receive data sent to the defunct addresses. That's because a domain's new registrant is like someone who buys a new house: they receive post meant for the previous owner, if that person forgets to tell everyone that they've moved.
A warning to others
The whistle-blowers are now warning about carelessness in the care sector. They believe that there are probably dozens of similar organisations that have let disused domain names lapse, meaning that they're available for anyone -- including crooks -- to re-register. SAVE's CEO Paul Janssen told RTL Nieuws, "We've acted to ensure that no further information leaks out this way, we've launched an enquiry, and we've sought external advice. We're also changing our security policy immediately."
Is your organisation in a similar position? Here's our advice:
1. Never simply cancel a domain name.
For years afterwards, there's a real risk that traffic will still be directed to the old name, accidentally or otherwise. If someone else innocently or maliciously re-registers your old domain name, all that traffic -- including potentially sensitive information -- will go to them. When you could have kept the name for a nominal annual fee!
2. Monitor your organisation's name or brand
We advise actively monitoring your organisation's name or brand. Various monitoring services are available, where new registrations are checked to pick up any that resemble the subscriber's brand. For example, the .nl zone includes many domain names that include the string 'jeugdzorg’ ('youth care'). There's probably nothing malicious about most of them, but it pays to be aware what's being registered, so that you can respond if and when there is a malicious registration.