The website Appointment Desk, for which several municipalities warned in recent days, has leaked the citizen service numbers (bsn) of users of the site. The CCeit discovered this. The administrator of the website said in a reaction “that this should never have happened“.
The site offered people the opportunity to make an appointment with a municipality and asked 20 euros for it. This is free of charge at the municipality. Among others Almere, Dordrecht and Oss warned about the site.
In addition to bsn numbers, personal data such as telephone numbers, postcodes, e-mail addresses and expiry dates of identity documents were relatively easy to view.
Citizen service numbers
The data in question relate to 6 000 users, of whom 4200 had entered an e-mail address and 2600 a citizen service number. The site had only been active for a few weeks.
Incidentally, the site is not allowed to process any citizen service numbers at all. These are special personal data that are extra protected. “Companies are only allowed to do this if they are legally obliged to do so”, says ICT lawyer Charlotte Meindersma. That is not the case here.
The data breach was on a test page of the site, which hacker Loran Kloeze forwarded to the CCeit. That page showed internal passwords, including those from the database. Logging in to the database was then relatively easy.
“Of course, that should never have happened,” says the administrator of the website, student Wouter Blokhuis. After the CCeit informed him, he took the site off the air.
By the way, he was already working on “phasing out” the bsn number, he says. “We found out that that is not allowed For the time being, he does not intend to report the leak to the Personal Data Authority.
Fooling people was never the intention, he says. “People could get a reminder from us if their document had almost expired,” says Blokhuis. “And as a service we could then make a payment for them However, people turned out to use the site differently, he states, simply by making an appointment.