Bureau Jeugdzorg Utrecht is dealing with a major data breach.
Due to an error, 3278 files of 2702 children were leaked. This is reported by RTL News based on its own research. About two-thirds of the affected children are minors, a quarter are under 12.
The error has to do with a domain name of Bureau Jeugdzorg Utrecht. In 2015, the name of the organization was changed to Samen Veilig Midden-Nederland (SAVE), meaning the domain name was also changed. The old domain name was taken offline three years later. To prevent abuse, the URL should have been securely locked.
However, this did not appear to have happened. The organization simply did not renew the domain name, allowing anyone to take over the website. And that’s where it went wrong. Indeed, Youth Services mails patient files to employees unsecured and automated, including to e-mail addresses still linked to the old website.
All that information turned out to be captured by registering the domain name. That’s what two whistleblowers did, who then reported the data breach to RTL News. The problems could have been avoided if Youth Care had renewed the domain name for 10 euros a year.
The files appear to contain highly sensitive information about the children. Consider, for example, information about their mental disorders, details of sexual abuse and suicide attempts. The files contain the victims’ full names and dates of birth, making them easy to find.
Internal emails from Youth Services were also leaked, as well as two hundred voicemail messages. Youth Services has since apologized to the victims. It is also going to notify victims and has reported the data breach to the Personal Data Authority. The leak has been plugged.
The whistleblowers claim, however, that there are dozens more similar organizations that also have expired domain names. With them, then, such a similar data breach could take place, should someone take over the domain name.