Log in to municipal systems with ‘Welkom01’? In Medemblik it was possible

At the municipality of Medemblik, ‘attackers’ could gain access to the internal network with the password ‘Welkom01’. This gave them ‘complete control’ over the system. This is apparent from an investigation by the Court of Audit. The password has now been changed.

Fortunately, it was not hackers or cyber criminals who targeted the municipality. But the most important conclusion from the Court of Audit’s report is that safety was not in order.

Information Security Research

The Court of Audit conducted an investigation within the municipality of Medemblik between January and April 2022. That was carried out by cybersecurity firm Hoffmann. They looked at documents, held interviews, sent fake emails to employees and deployed ‘mystery guests’. After the investigation, the college proposed, among other things, to look at security every year.

Security in Opmeer was also not in order.

For example, ‘mystery guests’ were able to enter the town hall undisturbed, according to the report. There they were given access to closed areas and departments. “The absence of turnstiles and open doors allowed them to pass unnoticed,” said a spokesperson.

The ‘human behaviour’ was also tested. They sent 727 fake emails to employees, containing a link. Of these, 63 were opened, after which 47 login details were registered. Although the percentage – compared to other municipalities in the Netherlands – is slightly lower, some of the employees still clicked on the link. Have they already pointed out the risks? “Yes, they have been made aware of this behaviour. The municipality has also started a major awareness campaign.”

Colleagues not in danger

The municipality is shocked and is taking measures to prevent a real cyber attack. “It puts the finger on a sore spot,” the college writes.

In 2020, at the municipality of Hof van Twente, did cybercriminals succeed?. Then with a slightly more updated password, ‘Welcome2020’. “We acted immediately. With the measures taken, the security has been raised to a higher level, making it considerably safer. It is never possible to say with certainty whether a system is one hundred percent safe.”

Although the ‘attackers’ were able to view driving licenses and identity cards, the data of Medemblikkers was not endangered, according to the municipality. “We have not received any signals that information has fallen into the wrong hands or has been leaked. Thanks to this report, we have also been able to intervene in time. It also appears that we as a municipality have to be extremely keen on our safety and stay focused. “

ttn-55