An ethical hacker was able to gain admin access to the digital infrastructure of the municipality of Arnhem by order of the municipal audit office via an inside-out attack. For example, he was able to view privacy-sensitive information from citizens and civil servants.
The mayor and aldermen indicated that they were shocked with the findings. It turned out that the inside-out vulnerability was already known, but not yet closed. The municipality’s own regular information security audits would focus primarily on outside-in attacks because they occur most, according to the municipality.
The court of auditors emphasizes that more vulnerabilities have been found and that De Connectie, the organization that handles the municipal ict network, ‘did not tackle the shortcomings identified with the greatest possible decisiveness’. The municipality points out that The Connection was started less than a year ago and was already working to improve information security.
The municipality has taken measures to prevent unauthorized access to the municipal network and to prevent the increase of duties. nevertheless network access has been obtained. The other vulnerabilities must be remedied in the short term.