In September 2024, the Dutch police were confronted with one of the most serious data breaches in their recent history. An investigative article by Follow the Money reveals that a Russian cyber group gained access to internal systems via an unsecured email account and stole the contact details of almost all 65,000 police officers.
What makes the incident particularly distressing is that the risks were known well before the attack. Follow the Money reveals that in November 2022, the police commissioned an internal risk analysis on the use of Microsoft cloud services. That analysis explicitly warned of security risks and recommended that additional measures be taken before the systems were put into full use. According to the investigation, only some of that advice was followed.
The police now acknowledge that security shortcomings contributed to the success of the attack. According to a spokesperson, the hackers would have had a much harder time if all the recommended measures had been implemented. The investigation thus exposes a structural problem: known risks are identified, but not always addressed in a timely or comprehensive manner.
The consequences of the hack are significant. Not only does it constitute a serious violation of the privacy of police officers, but it also raises questions about the digital resilience of a crucial government organization. Follow the Money's investigation shows how vulnerable public institutions can be when warnings are ignored and how great the impact can be, especially at a time of increasing geopolitical tensions and digital threats.
