Financial administrators' poor email security put many people with money trouble at risk

Cybercriminals have easy access to data from financial administrators’ poorly secured old email addresses, RTL Nieuws reports. As a result, the personal data of people with financial problems - a group particularly vulnerable to fraud and exploitation - can easily end up in criminals’ possession.

Financial administrators manage the affairs of people unable to do so themselves, for example, due to debt or an intellectual disability. Hundreds of thousands of people in the Netherlands are under financial administration. These administrators possess highly sensitive data about their clients, including tax documents, medication data, payslips, doctors' bills, fines, and bills from their telecom provider, with an overview of all calls, much of which arrives via poorly secured email.

This leak was discovered by ethical hacker Wesley Neelen when he delved into the leaked Odido data and noticed that many people were using their administrator’s email addresses for their bills. Many of these email addresses were no longer in use, and he was easily able to register and take over the website and associated mailbox.

"Technically speaking, it is very easy. I was surprised that so many emails were still coming in even though the inbox hadn't been in use for a while,” Neelen said. In a few weeks, Neelen gained access to 258 financial files of people with debts. After that, he closed the mailbox.

The emails he received contained details about people’s private lives. For example, an email from a Rotterdam housing corporation read: “The home is again severely filthy, and the lady appeared confused.” Another contained a death certificate and a last will.

“I am shocked by this; this data leak is truly terrible,” Nadja Jungmann, a professor of debt and collection at Utrecht University of Appleid Sciences, told RTL Nieuws. “You don’t want people to know you have debts anyway. But these people are also vulnerable and become victims of crime more easily. If they receive an offer to earn extra money quickly, they are more likely to accept it.”

Jungmann thinks that administrators don’t know how many emails go to their old domain names. “I can imagine that the administrators are also shocked. It really should be a wake-up call that this is unacceptable.

A financial administrator’s email address can go unused for various reasons, including bankruptcy, merger, or the discontinuation of services. According to the Netherlands Internet Domain Registration Foundation (SIDN), organizations receive a warning when sensitive domain names expire. But despite these warnings, many don’t take action.

Aegis, the trade association for financial administrators, told RTL that it would warn its members about this issue. "Due to the sensitivity of the information administrators possess and the vulnerability of many of our clients, we must be extra vigilant about this. Aegis will educate members about the risks, and we are looking into whether we can reach a protocol."