A quarter of councilors from The Hague clicked on link in phishing email

When sending a counterfeit phishing email to 45 councilors of the municipality of The Hague, about a quarter actually responded to the content. This is apparent from an investigation by the Court of Audit in The Hague, which found various vulnerabilities in the internal network.

The relevant phishing emails were sent to the 45 councilors as a test just before the municipal elections. It would contain a link that referred to a non-existing survey. The Court of Audit in The Hague has been able to conclude from the click results that eleven councilors actually clicked on the link.

The Court of Audit takes this seriously. “In a real situation, one response to a phishing email is sufficient to give an attacker the opportunity to install malware on the internal network or obtain data from the recipient. The test also shows how vulnerable the security of the internal network is to attacks from outside.” Phishing emails are usually tailor-made for targeted attacks and hackers use them to install malware or extract sensitive data.

After conducting penetration tests, the researchers encountered a total of 34 vulnerabilities in the municipal network, of which fifteen were rated high to very high. In this way they obtained access to personal data of residents of the city. Most of the vulnerabilities have now been fixed.

According to the authors of the risk analysis, the conclusion is that the municipality has taken insufficient measures to protect information from citizens and companies against malicious parties. In addition, municipalities are storing more and more data from citizens because they are assigned more tasks from the national government. The Court of Audit in The Hague also finds it annoying that the vulnerabilities found were not known to the municipality.

The city council has promised to take measures to improve the security of the internal network. For example, it will have the security tested every year by an external agency. Employees must also be better informed and ‘technical tools’ must be linked to the network in order to be able to identify possible intruders in good time.