Old police websites vulnerable to DigiD hack

no image
No image availableNL Times

Cyber criminals could get access to people's DigiD login information through expired internet domains that were once registered to the police. This finding comes from research done by Reporter Radio in collaboration with security researcher Wouter Slotboom.

According to NU.nl, Slotboom found that when 300 police websites were transitioned to the domain politie.nl, a number of the websites were overlooked. Many local police officers also still refer to the old websites, whose registrations with the police have since expired. Some of these domains have since been taken over by a third party, though people accessing them would have no reason to assume they belong to another owner.

As a demonstration of the risk the old police websites posed, Slotboom registered 15 of them, NU.nl explained. On three sites, Slotboom uploaded a copy of politie.nl. Because people can file reports online and must enter personal information to do so, Slotboom obtained the DigiD login details of those who used the sites.

In late December, Slotboom provided all this information to the police. "I'm glad I've seen this, it is very important," said Ron de Milde, who was responsible for the transition to the domain politie.nl and who acknowledged that the old websites had escaped notice. "I'm happy you've given us the opportunity to rectify this," De Milde is quoted as saying.