Data leak in the Netherlands: What developers should learn from this

Currently, there are a series of data leaks going on in the Netherlands. Blauw, a prominent market research firm in the Netherlands, reported a data leak earlier this week. Blauw offers qualitative market research for companies and events, and works with many big Dutch brands.

The current leak of customer data has already resulted in personal data exposure for a substantial number of Dutch consumers. At this time, these are the known incidents related:

• VodafoneZiggo, one of the biggest telecom, tv, and internet providers in NL: 700,000 customers exposed (reference EN, NL)

• NS, the Dutch National Railways: 780,000 customers exposed (reference EN, NL)

• Vriend van Amstel Live, a concert format by the Heineken company: 22,000 customers exposed (reference NL)

With the variety of brands that Blauw does market research for, these numbers are likely just the tip of the iceberg.. However, some clients — like Albert Heijn, Etos, bol.com, and Vattenfall —  report that they were not affected by the data breach.

What can developers learn from data leaks like this?

As we do not yet know the reason for the data leak and Blauw has refused to disclose their software supplier, there’s not much sense speculating. However, we can still learn a lot from a data breach like this. The population of the Netherlands is only 17.5 million people — which makes the above numbers substantial! The effect will likely be massive and certainly qualifies as national news. The newspaper “Algemeen Dagblad” writes that possible millions of Dutch citizens are likely victims of this data leak.

Data leaks can create major security concerns, and as developers of software systems we need to take our responsibility seriously. When we create solutions for our applications, these solutions need to be scalable, maintainable and secure. Working in autonomous engineering teams is efficient, but a secure mindset while developing is critical nowadays. Just creating a solution that works isn’t good enough anymore.

Oddly, issues like cross-site scripting and SQL injection are still among the top vulnerabilities in modern-day applications and have been for years — which likely means that developers are generally not taking enough security measures or haven’t educated enough to tackle these problems.

Next to this is the supply chain. The code developers write is just a small fraction of the actual applications. Open source frameworks and libraries often do the heavy lifting and help ensure rapid development. However, just like cars and buildings in the physical world, open source software needs maintenance. Strategies like updating libraries to newer versions should be a regular exercise. 

What should developers do?

Thankfully, there’s a lot developers can do to protect their applications from similar data leaks..

• Educate yourself on common vulnerabilities.
  Snyk Learn is a great free platform with multiple lessons and learning paths like the OWASP top 10 path covering common vulnerabilities.

• Use tooling to scan your custom code for security vulnerabilities.
  Snyk Code a great free option that can analyze your code in your IDE or in your pipeline to catch issues like path traversal or SQL injection

• Correctly review code. Make ample time and the correct personnel are available to complete code reviews. Check this cheat sheet for more information

• Keep your dependencies and frameworks up to date. Check out this blogpost to learn more about creating a solid dependency management strategy. 

• Refine your build and release system so you can easily rebuild and redeploy, or distribute, your application once a vulnerability pops up.

• Scan your open source libraries for known vulnerabilities. Snyk Open Source is a great place to start. 

• Monitor your application when in production for new vulnerabilities.
  Problems get discovered over time. Keep an eye on what’s in production right from your CLI with Snyk Monitor.

As a developer, you have a responsibility to ensure the code you write is secure since you’re the one holding the steering wheel and implementing the solutions.

It’s impossible to fully prevent data leaks like this one due to the multitude of circumstances that drive them. However, most breaches and data leaks are created by a combination of common security problems. Reducing the number of potential attack vectors is the responsibility of everyone working with and on it, including developers. Collaboration and communication around secure coding practices keeps security incidents — and news headlines — to a minimum.