Major data breach at youth services organisation could have been prevented

On Wednesday, a leading Dutch news outlet reported a major data breach at the Utrecht Youth Services Agency (now known as SAVE). Well over three thousand case files and two hundred voicemails and internal mails containing full details of vulnerable children were compromised. How? Through careless cancellation of a disused domain name when the organisation became SAVE. For industry insiders, it's a familiar story: the Dutch police suffered a very similar data breach two years ago. So how can it have happened again?

In 2015, the Utrecht Youth Services Agency changed its name to Samen Veilig Midden-Nederland ('Safe Together Central Netherlands', or SAVE for short). Three years after the name change, the website linked to the old name was shut down. In situations like that, the normal practice is to de-activate the old domain name, but retain it to prevent abuse. However, that didn't happen with SAVE. The registration (which could have been kept for maybe ten euros a year) was allowed to lapse. As a result, it became available for anyone to register at the end of its quarantine period.

Data leaked via old e-mail addresses

Automated processes at SAVE sent non-encrypted case files to various e-mail addresses, including some linked to the old domain name. Two whistle-blowers then re-registered the disused domain name, enabling them to receive data sent to the defunct addresses. That's because a domain's new registrant is like someone who buys a new house: they receive post meant for the previous owner, if that person forgets to tell everyone that they've moved.

A warning to others

The whistle-blowers are now warning about carelessness in the care sector. They believe that there are probably dozens of similar organisations that have let disused domain names lapse, meaning that they're available for anyone -- including crooks -- to re-register. SAVE's CEO Paul Janssen told RTL Nieuws, "We've acted to ensure that no further information leaks out this way, we've launched an enquiry, and we've sought external advice. We're also changing our security policy immediately."

Is your organisation in a similar position? Here's our advice:

1. Never simply cancel a domain name.

For years afterwards, there's a real risk that traffic will still be directed to the old name, accidentally or otherwise. If someone else innocently or maliciously re-registers your old domain name, all that traffic -- including potentially sensitive information -- will go to them. When you could have kept the name for a nominal annual fee!

2. Monitor your organisation's name or brand

We advise actively monitoring your organisation's name or brand. Various monitoring services are available, where new registrations are checked to pick up any that resemble the subscriber's brand. For example, the .nl zone includes many domain names that include the string 'jeugdzorg’ ('youth care'). There's probably nothing malicious about most of them, but it pays to be aware what's being registered, so that you can respond if and when there is a malicious registration.



Marnie van Duijnhoven

communications manager

+31 26 352 55 00

  • Tuesday 18 December 2018

    .nl domain name

    ICANN and the Whois: no more admin-c?


    A uniform global solution is wanted soon

    Read more
  • Monday 28 May 2018

    Internet security

    "Privacy is an opportunity, not an administrative burden"


    Privacy Designer smooths the way to GDPR compliance

    Read more
  • Friday 19 April 2019

    SIDN Labs

    SIDN to promote adoption of the DANE internet standard


    E-mail security standard added to the Registrar Scorecard

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.