Details of 60 thousand recoveries on the street after a DUO error

Details of 60 thousand recoveries on the street after a DUO error
News and politics24 Jun 24 06:00Edited on 24 Jun 24 at 11:10authors: Lisane Witschgers and Erik van den Berg

Email addresses of 60,000 people struggling with student debt briefly appeared online due to a data breach at the Education Executive Agency. An ethical hacker discovered the data breach on the evening of May 30 and reported it immediately.

Earlier that day, DUO sent a survey to 60,000 people struggling with student debt, asking them questions about their financial situation. DUO used software from the Swiss company Survalyzer, which turned out to be unsafe. This gave the hacker access to 60,000 recoveries’ email addresses. Because many email addresses contained names, it was often clear who the debtors were.

The National Union of Students (LSVb) is not happy about the refunds being out. “This is very bad and harmful.” (Afghan National Police/Afghan National Police)

“Very bad and harmful”

The National Students Union (LSVb) is not happy about this Outside Of recoveries. ‘This is very bad and harmful. “Whether you have student debt or not is very sensitive information,” says board president Elissa Wehuizen. According to her, many students feel ashamed of their student debt. “There has to be some awareness that people work here.”

Experts warn that the leak could also be exploited by criminals for fraud. “In addition to the email address and maybe the name, you now have a little bit of context about this person and their situation,” says Roos Dijkxhoorn, founder of cybersecurity firm Purasec.

Cooperation with an external party

Dijkxhoorn questions why DUO would share recoveries’ personal data with a commercial party like Survalyzer in the first place. “This might be possible by doing thorough research on the security of such a platform beforehand, but it seems like this kind of sensitive information is handled too easily.” The security expert warns that if this information falls into the wrong hands, it could be used for targeted phishing attacks. The more information available about a person, the greater the chance of success in such an attack.

Data on DUO employees, schools and municipalities are also available

Because DUO conducted numerous surveys using Survalyzer, the email addresses of schools, municipalities, and DUO employees were also publicly available, and ironically also the email addresses of employees of DUO’s Security Operations Center.

The research and data were taken offline on May 31. DUO reported the incident to the Dutch Data Protection Authority (AP). According to the enforcement agency, only the hacker who discovered the leak saw the email addresses.

Survalyzer hired an external security firm to investigate the leak. DUO is also looking into how to prevent these types of incidents in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top