Millions of residential addresses easily visible through land registry leak

Due to a leak at the Kadaster national land registry, it was possible to view names and residential addresses of just about every person with an owner-occupied home in the Netherlands. Anyone could gain access to the service's guarded systems. The Kadaster and the Dutch Data Protection Authority confirmed this after the leak was first reported by RTL Nieuws. It is not known whether the security hole was exploited.

The shielded data at the Kadaster is intended for bailiffs and civil law notaries. However, anyone could create an account for access without an actual check, RTL Nieuws reported.

The Dutch Data Protection Authority (AP) called the security hole a very serious matter. "This unauthorized access posed a great danger to threatened journalists, activists and politicians. But also anyone dealing with an angry, stalking ex. Someone could suddenly show up to threaten them. Or worse."

The privacy watchdog has instructed Kadaster to close the gap in the short term. "But there is still a lot of work to be done," the regulator added.

According to the AP, there are more places within the government where data may not be properly protected. "We therefore started a large-scale initiative earlier this year: the AP is urging the Cabinet to better protect access to personal data in public registries against improper use."

A spokesperson for Kadaster said that the organization is taking additional measures because of the leak. For example, the service is now checking people who request a business account. "This allows us to be more confident that the person being given an account is the person they claim to be."

The organization said it feels responsible "to minimize the chance of misuse of our registries."

Homeowner association Vereniging Eigen Huis (VEH) wants the Ministry of the Interior and the Kadaster to urgently assemble a crisis team to guarantee the privacy of homeowners after the major breach. According to the VEH, the security problem has been going on for years and almost nothing has been done about it.

"Already in 2018, the VEH demonstrated that anyone could obtain confidential personal data via the Kadaster," the association said. Anyone who created a business account with false data could not be traced if they requested information.

"Identification numbers, the value of the mortgage and personal details of a partner with whom the home was purchased can also be requested online to this day. Malicious people can easily abuse this." according to the VEH.

Kadaster and politicians have hardly taken any measures in recent years to better protect the privacy of homeowners. "For example, only the transfer of new-build homes are no longer recorded with an identification number, but this data is still visible at more than 6 million existing addresses," VEH continued.

"Vereniging Eigen Huis has been urging for years that personal data must only be viewed by people or organizations who have a 'legitimate interest.' Specific professional groups such as civil law notaries who have to work with this data on a daily basis and are under strict supervision can be exempted, the organization continued. According to the VEH, it already works this way in Germany.