Hundreds of Dutch company passwords for sale on the dark web
There is a big market for company credentials on the dark web. RTL Nieuws bought the credentials of five Dutch companies and gained access to data such as medical files, web shop orders, financial statements of self-employed people, and the building management system of a school. Frank Groenewegen, Chief Security Expert at Fox-IT, calls the online supply of credentials a painful example of IT supplier’s incompetence: “A lot of companies rely on an IT supplier to install their computer network. These companies trust that their network is safe, but the supply of company credentials proves that a lot of IT suppliers in the Netherlands do not have basic cybersecurity knowledge or fail to implement it, and compromise the security of their customers.”
RTL Nieuws managed to make a print-out of the daily orders of the web shop, including customer data such as full names, telephone numbers, addresses and bank account numbers, by accessing the owners’ computer. The computer of the accountant revealed financial statements with complete financial data of self-employed people. The news program also got access to unencrypted patient records, including medical and private data from the computer of a physiotherapist. Finally the reporter managed to manipulate the temperature and humidifier at the school in Utrecht.
Fox-IT: “Companies must be able to rely on their IT supplier taking the necessary security measures when it comes to installing their networks, without having to ask for it. Without implementing two-factor authentication when enabling remote access to a company network, companies run huge risks.
The evident poor online security of average Dutch companies is unacceptable says Frank Groenewegen: “Unsecure computers are still being supplied and configured with weak or standard passwords and as a result directly accessible through the internet. In most cases customers are not even aware of this situation. How long will we keep allowing IT suppliers to deliver unsecure hardware and services and get away with it?”