Serious vulnerabilities in GGD systems were already known in mid-December

The Ministry of Health and the GGD knew in mid-December that the security of the ICT systems for source and contact research and testing were not in order. It appears from documents sent to the House last night.

An internal analysis pointed to โ€œserious vulnerabilitiesโ€. Nevertheless, risky components in the systems were not disabled. Even when the leak came to light, the GGD spoke of an โ€œannoying incidentโ€.

This includes the export function, which would have been misused to leak personal data. But also because of the print function, which also allows you to view privacy-sensitive data and which was only disabled last Saturday. This happened after DeccEit and Nieuwsuur found that he was still working for all users.

Vulnerabilities

Today, Minister De Jonge van Health had to clarify the data leak in the House of Representatives. He acknowledges that he should have responded earlier to internal signals that there were problems with the privacy of the GGD systems.

The Ministry and GGD already had an internal risk analysis on 11 December, pointing to โ€œserious vulnerabilitiesโ€ in the systems. โ€œShould we join together whatโ€, says in the minutes of a meeting of officials from the Ministry, the RIVM and the GGD.

At another meeting, a week later, the GGD maintains the view that โ€œexisting ICTโ€ should continue to work so that the work can continue. The GGD was also โ€œcuriousโ€ about the effect on โ€œthe operationโ€ of a new working group that was going to examine security.

Christmas Eve

On 24 December, just before Christmas Eve, Minister De Jonge de Tweede Kamer informs about several vulnerabilities in the GGD systems. Paragraphs are at the end of a letter that continues on testing and an OMT advice.

In order to solve โ€œsome vulnerabilitiesโ€, according to the Minister, we are working on a โ€œmore appropriate authorisation managementโ€, so that people cannot access information they cannot belong to. What then suspended the authorization management is unknown, but it became clear afterwards that too many people could access too much information.

The details of the risk analysis to the GGD systems are (and remain) secret, in consultation with the National Cyber Security Centre.

In the House of Representatives, Minister De Jonge said today that the export function was used for statistical analysis and the distribution of work. โ€œToo little account has been taken of the risks and that is of course not goodโ€, says De Jonge.

The December warning is not the first time the government has been alerted to security issues. As early as September, Nieuwsuur reports that employees had access to all kinds of private data that they were not supposed to be able to access. In November, the AD reported about employees who were unauthorized to peek at the data of BNers.

The ICT systems of the GGD are two different programmes: CoronIt contains data from some 5.5 million people who have been tested. HPZone contains data from about 1 million people who are present in a source and contact study. Both systems were accessible to tens of thousands of employees of the GGD and call centres.

โ€œAnnoying incident.โ€

On 25 January RTL Nieuws reports that personal data have been obtained due to a leak in the GGD systems. Data is misused and traded.

The Ministry and the GGD meet on 28 January on the leak. The report shows that the GGD calls it an โ€œextremely annoying incident with data theft stableโ€. The button for exporting data from HPZone is already disabled. The GGD says its busy closing the gap, but thats not very easy. The print function remains on until 30 January.

The officials write in the report that more rapid action could have been taken retrospectively. Some time has been wasted by setting up a dedicated working group, but it is โ€œcrucial now to know what we need to solve in the short, medium and long term.โ€