Ethical hacker obtained admin access to the ICT infrastructure of the municipality of Arnhem

An ethical hacker was commissioned by the municipal audit office to gain admin access to the digital infrastructure of the municipality of Arnhem through an inside-out attack. This allowed him to view privacy-sensitive information of citizens and officials.

The ethical hacker connected to the network from within the town hall in order to acquire the rights of a system administrator via vulnerabilities. As a result, he had ‘in principle control over the entire infrastructure of the municipality of Arnhem’. This means that he could also access personal data and other privacy-sensitive information of citizens, civil servants and administrators.

The security expert acted on behalf of the municipal audit office of Arnhem, which conducted an in-depth technical investigation into the municipality’s information security, following an earlier investigation that focused on the effectiveness and efficiency of information security and privacy policy.

The mayor and aldermen say they are shocked by the findings. It turned out that the inside-out vulnerability was already known, but not yet fixed. The municipality’s own regular information security audits would focus primarily on outside-in attacks because these are the most common, according to the municipality.

The audit office emphasizes that more vulnerabilities have been found and that De Connectie, the organization that manages the municipal ICT network, ‘did not address the identified shortcomings with the greatest possible decisiveness’. The municipality points out that De Connectie started less than a year ago and was already working on improving information security.

The municipality has taken measures to prevent unauthorized access to the municipal network and to prevent the increase of rights if network access is nevertheless obtained. The other vulnerabilities must be fixed in the short term.