An official website of a Belgian agency leaked the address information of all Belgians. By entering a person’s name, date of birth and zip code, the website revealed the person’s full address.
A 12-year-old website spilt until recently the addresses of all Belgians. The website is held by the Belgian Debt Agency and peaked in visitor numbers in recent weeks due to the issuance of a new government bond.
The address of any Belgian could be looked up by entering a person’s name, date of birth and zip code. These details are usually easy to obtain by doing a quick search on social media sites. In some searches, it was also possible to find the name of the legal partner through the official website.
Cybersecurity standards from 2011
The hack came to light via VRT NWS after an ethical hacker tipped off the vulnerability. The leak was closed within a few hours by the agency involved. They promise to investigate the exploitation of the vulnerability. That will take time, as it has been operating the website in the same way for 12 years.
Jean Deboutte, director of the Debt Agency, explains the long existence of the leak as follows: “Only this year, the number of users rose sharply, and this latest state voucher is a great success. The volumes through our site are extremely high now. As a result, these kinds of problems are surfacing at this moment.”
It is remarkable that an official government website does not receive security updates regularly. The cybersecurity landscape has changed dramatically in 12 years, and this flaw was already exploitable without in-depth knowledge about hacking. Moreover, the EU has increasingly strict rules to ensure the privacy of EU citizens, mainly towards companies.