On May 30, the e-mail addresses of about 60,000 Dutch people with student debt were temporarily visible online, reports BNR (1). An ethical hacker discovered the data leak at the Dienst Uitvoering Onderwijs (DUO). The leak was reported the same evening.
DUO had sent out a survey earlier that day using security software from the Swiss company Survalyzer. This software turned out to be vulnerable: 60,000 e-mail addresses were visible.
Such a data breach is very damaging and can have far-reaching consequences. Since many students have their name in their e-mail address, this is important data. The National Student Union (LSVb) is therefore angry about the data breach.
President Elise Weehuizen points out that having student debt is "super-sensitive information" that should not be made public just like that. There is embarrassment among many students about having student debt.
Moreover, a data breach like this can be used by cybercriminals for scams, such as phishing attacks.
DUO used commercial company Survalyzer for broadcasting surveys. Since multiple surveys were involved, data from schools, municipalities and even DUO personnel themselves were also temporarily visible.
According to the Education Department, only the hacker who discovered the data breach saw the data. A report was made to the Personal Data Authority. The survey for which the surveys served was taken offline May 31.
Why DUO chose to use Survalyzer is not clear. Roos Dijkxhoorn, founder of cybersecurity firm PuraSec, argues that DUO should have thoroughly investigated its security.
(1) https://www.bnr.nl/nieuws/nieuws-politiek/10550815/gegevens-60-000-terugbetalers-op-straat-na-fout-bij-duo
