Magister, the school system in which student records are created, appears to have been poorly secured for years. Emails sent from the program were not encrypted until recently. Developer Schoolmaster has since taken action and plugged the leak.
The administration program Magister, published by Iddink, is used by more than 500 Dutch schools. The school system contains files containing student data, such as name and address information and school results. When a student file is changed, for example because of a new grade or a new note, the system sends an e-mail to inform about the update. For years, the content of this e-mail does not appear to be encrypted.
Security researcher Bram Matthys, discoverer of the leak, has repeatedly raised the alarm with Iddink since 2016 to alert the publisher to the security vulnerability. In early August 2018, the leak was finally plugged. Because intercepting the emails requires the necessary actions, the fix took a long time; according to Matthys, Iddink did not see a major risk in the leak. "To intercept the emails, one has to be in the network path between the software maker's mail server and the school's. So for that, someone has to make an effort, such as hacking a router or putting a device on the line." Nevertheless, Matthys believes this is a major risk and action should have been taken earlier, also because it involves children's sensitive data. "Malware, such as VPNFilter, for example, previously infected half a million routers worldwide. This malware also had code to intercept network traffic with."
Pieter Dubois, spokesman for Iddink, acknowledged in a response to Nu.nl that communication to Matthys had been substandard: "Bram Matthys has shared his findings with us on several occasions and we did not get and stay in good contact with him about this. We have apologized to him for that." According to the spokesman, in the intervening period, no signals of unauthorized access have been received to Magister email traffic from one or more schools.
