The Dutch Land Registry suffers from a severe privacy loophole that has exposed the home addresses of all homeowners in the country for many years now.
According to an investigation by the Dutch outlet RTL News, anyone can easily search home addresses on the Land Registry’s portal just by knowing their target’s name. This exposure could be perilous, especially for high-risk people like investigative journalists, politicians, high-ranking officials, entrepreneurs, and activists.
An “open” portal
The Dutch Land Registry holds information about six million homeowners in the country and makes it available through an online portal. Regular citizens are allowed to enter addresses and find out the corresponding property’s cost and the owner’s identity. However, they cannot perform reverse searches, like using a full name to find out what properties a person owns.
This capability, however, is reserved for a particular category of users, typically professionals who need this information to ensure the legitimacy of their work, like lawyers, brokers, notaries, and bailiffs. The abysmal design logic of the Land Registry portal allows approximately 30,000 users of the said professions to perform reverse searches using full names to find the property a person owns, including details about it such as its address or the identity of co-owners, usually spouses.
To make matters worse, there’s no limit to the performed queries or any restrictions for these 30,000 users that would prevent abuse of reverse searches, and the agency has no oversight on who searches for what. RTL tested and confirmed this problem using a privileged account they created on the platform themselves for the purpose of their investigation, simply by going through the Chamber of Commerce registration process and using one of the sectors that are eligible for this kind of access.
“It is possible for everyone to create a professional account for the private part of the Land Registry,” explained RTL.
“The organization does not control which organization wants access to the database and does not verify identities, despite the sensitive data it manages.”
However, using a privileged account isn’t even a hard requirement for accessing sensitive data on the Land Registry’s portal. Unethical users have already taken advantage of the agency’s lax policies to monetize their access by selling this information to anyone who needs it. There are several Telegram channels that sell private data like people’s home addresses for $50 per reverse search, and unfortunately, RTL’s tests proved that they’re not scams.
At this time, it is unknown how many people have used those services and how many Dutch homeowners have had their sensitive information exposed due to the Land Registry’s insecure logic and complete lack of data access controls.