Police warned about security hole used by Russian hackers in major theft of police data

The Dutch police knew about gaps in their cybersecurity before a Russian cyber group stole a large amount of police data in September 2024, according to research by Follow the Money. The hackers used vulnerabilities that the police had been warned about.

The hackers gained access through an employee’s email account and stole the contact details of almost all 65,000 police officers in the Netherlands. The hackers also had access to cops’ profile photos and personal data. The theft of this highly sensitive information caused major unrest.

Documents obtained by FTM through the Open Government Act revealed that an internal risk analysis from November 2022 raised concerns about the implementation and security of Microsoft’s “M365 cloud.” The police have been using this service for several years for chat and meeting programs like Teams. The risk analysis warns that the cloud entails “inherent” risks, and “state actors” in particular would be “very interested in gaining access to the cloud environment.”

The authors urgently advise the police to only use the cloud if the police had taken a series of measures beforehand, intended to eliminate the most significant risks. In the documents provided to FTM, these risks and measures were redacted for security reasons. But, after questions from FTM, a police spokesperson acknowledged that mistakes were made. “We must conclude that not all measures were fully implemented at the time of the incident.”

The police told FTM that hacks like the one in 2024 can never be completely prevented, but acknowledged that it would have been more difficult if all the recommended security measures were in place. “This specific attack would likely have been more difficult to carry out and possibly detected earlier.”

For security reasons, the police did not tell FTM which measures “did not function or were ineffective.” But according to FTM, the provided documents show that the police took a series of measures immediately after the hack, including closing inactive or “ghost” email accounts and setting stronger passwords.