- Published on
Epe could be hacked because an emergency access account was poorly secured
- Authors
- Name
- aimode.news
- @aimode_news
The data breach at the Dutch municipality of Epe earlier this year took place after attackers were able to abuse an emergency access account. They managed to crack an administrator password, the municipality wrote in an evaluation report. During the hack, the BSNs of all residents were stolen.
The municipality of Epe has posted an evaluation online of the data breach that took place in April this year. After the hack, the names, addresses, dates of birth and citizen service numbers of all residents of the municipality were made public. The municipality then replaced a thousand IDs at no cost.
Some details about the hack were already known, but the current evaluation makes it even clearer how the criminals managed to steal more than 525,000 documents. It was already clear that the criminals entered by tricking an employee, having him download malware and intercepting his multi-factor authentication data.
It is now also clear that the criminals subsequently obtained higher user rights on the system 'because an administrator password could be cracked'. The municipality also writes: "A break-glass account, intended as emergency access, had insufficient additional security measures, allowing the attacker to obtain far-reaching rights." The municipality does not provide any details about this, but Microsoft, among others, calls Global Administrator accounts this way in Entra ID.
Also striking in the evaluation is that the municipality writes how much the data breach cost the municipality. That information is rarely mentioned in hacks, but Epe is open about it: the data breach cost almost 350,000 euros. For example, the technical investigation cost 120,896 euros, the municipality says. Hiring the incident response company and 'external project management' cost 79,815 euros. Deploying communications employees also cost money, as did handling GDPR and Woo requests. The municipality also writes how much it cost to send all letters and replace all IDs.
