Skip to main content
Netherlands News in English

Main navigation

  • Top stories
  • Health
  • Crime
  • Politics
  • Business
  • Tech
  • Culture
  • Sports
  • Weird
  • 1-1-2
Image
Ransacked bedroom after a burglary
Ransacked bedroom after a burglary - Credit: HighwayStarz / DepositPhotos - License: DepositPhotos
Business
Alarm system
Carrier Global
SMC
Data leak
GroenLinks-PvdA
Secura
Securitas
Barbara Kathmann
dutch data protection authority
AP
whistleblower
Ralph Moona
Matthijs Koot
Joris Talma
Thursday, 11 April 2024 - 12:50

Share this article:

Software leak: False alarm passwords for thousands of alarm systems searchable online

The false alarm passwords for thousands of Dutch alarm systems were easily findable online due to a leak in Carrier Global software, which is used by the SMC alarm center, among others, in the Netherlands. SMC and Carrier Global have known about the issue for a year, whistleblower Joris Talma told BNR.

Research by BNR showed that the leak affected at least 26,000 Dutch alarm systems linked to SMC, including those of supermarkets, banks, government services, city halls, utility companies, a money printer, and Fox-IT - a company that keeps state secrets.

The leak involves the password customers verbally give the alarm center after a false alarm to say that all is well and the alarm center shouldn’t dispatch the police. The leak also included customers’ names and addresses. Celebrities and other prominent people received a separate designation from SMC, making them easy to find in the mountain of data.

Whistleblower Talma, a software developer, discovered the leak by accident early last year while doing work for a small theater in the east of the country, which is an SMC customer. He was looking for a way to automatically turn off the theater’s lights if someone activated the alarm system for the weekend. By chance, he found out that he could access data from other SMC customers via the alarm installer app.

Talma immediately understood the implications of his discovery and warned Carrier Global in February 2023 - BNR has seen the correspondence. He reported the leak to SMC in June. After his warning, Carrier Global warned its customers about the leak but did not actually close it. SMC also did not act effectively. Talma then raised the alarm with the Dutch Data Protection Authority multiple times, with no result. The data was still accessible a year later.

The whistleblower worried that other alarm centers also used the Carrier Global app, called the MAS Mobile Classic App. He checked last month and found that the leak also impacted Securitas systems, though here only personal data, and not false alarm passwords leaked. He informed the company, and Securitas locked the vulnerable system.

According to BNR, SMC only did the same after questions from the broadcaster, almost a year after Talma’s first report to the company.

The broadcaster asked independent experts from Secura to verify the leak. “These types of tricks can be used by organized crime and foreign intelligence services to gain physical access to buildings,” technical director Ralph Moona said. Security researcher Matthijs Koot said he was shocked by the scale. “It is very unfortunate that this emergency center software is connected to the internet with such serious vulnerabilities.”

GroenLinks-PvdA parliamentarian Barbara Kathmann has asked the Minister of Justice and Security to investigate. “We have to look very carefully at how big this leak actually is, whether more emergency centers are involved, and how this could have happened in the first place,” Kathmann said. She called the fact that SMC and Carrier Global took a year before closing the leak the “biggest shock.”

More like this

Image
Gurneys in a hospital corridor
Hospital patient data may have leaked in Chipsoft hack, sources say
Image
Odido's headquarters building in The Hague. Undated
Odido cyber attack: Hackers gained access to 6.2 million people's data
Image
Poster urging Amsterdam residents to vote in the parliamentary election on 29 October 2025
AI chatbots' election advice unreliable & biased; Too often recommend PVV, GL-PvdA
Image
The Public Prosecution Service office in Oost-Nederland
Hack behind Dutch Prosecution Service's disconnect from internet
Make NL Times your top Google source

Follow us:

Latest stories

  • Consumer prices confirm Dutch inflation rate at 2.9% in June; Fuel price growth slows
  • Zeeland shuts down 20 wind turbines overday after young sea eagle’s death
  • Regulator grants online retailer Bol license to operate as a payment provider
  • Netherlands to end zero-hour work contracts, limit flexible employment with Senate vote
  • Ajax agree €27M deal to sell Sean Steur to Newcastle

Top stories

  • Netherlands to end zero-hour work contracts, limit flexible employment with Senate vote
  • Netherlands recruited 29 top scientist leaving U.S. under Trump
  • Police shoot armed man on Rotterdam street
  • Rotterdam train traffic back to normal after week-long outage
  • New-build home sales in Netherlands fall 19% as market cools

© 2012-2026, NL Times, All rights reserved.

Footer menu

  • Change Privacy Settings
  • Privacy Policy
  • Contact
  • Partner Content