The Ministry of Health and the GGD knew in mid-December that the security of the ICT systems for source and contact research and testing were not in order. It appears from documents sent to the House last night.
An internal analysis pointed to “serious vulnerabilities”. Nevertheless, risky components in the systems were not disabled. Even when the leak came to light, the GGD spoke of an “annoying incident”.
This includes the export function, which would have been misused to leak personal data. But also because of the print function, which also allows you to view privacy-sensitive data and which was only disabled last Saturday. This happened after DeccEit and Nieuwsuur found that he was still working for all users.
Today, Minister De Jonge van Health had to clarify the data leak in the House of Representatives. He acknowledges that he should have responded earlier to internal signals that there were problems with the privacy of the GGD systems.
The Ministry and GGD already had an internal risk analysis on 11 December, pointing to “serious vulnerabilities” in the systems. “Should we join together what”, says in the minutes of a meeting of officials from the Ministry, the RIVM and the GGD.
At another meeting, a week later, the GGD maintains the view that “existing ICT” should continue to work so that the work can continue. The GGD was also “curious” about the effect on “the operation” of a new working group that was going to examine security.
On 24 December, just before Christmas Eve, Minister De Jonge de Tweede Kamer informs about several vulnerabilities in the GGD systems. Paragraphs are at the end of a letter that continues on testing and an OMT advice.
In order to solve “some vulnerabilities”, according to the Minister, we are working on a “more appropriate authorisation management”, so that people cannot access information they cannot belong to. What then suspended the authorization management is unknown, but it became clear afterwards that too many people could access too much information.
The details of the risk analysis to the GGD systems are (and remain) secret, in consultation with the National Cyber Security Centre.
In the House of Representatives, Minister De Jonge said today that the export function was used for statistical analysis and the distribution of work. “Too little account has been taken of the risks and that is of course not good”, says De Jonge.
The December warning is not the first time the government has been alerted to security issues. As early as September, Nieuwsuur reports that employees had access to all kinds of private data that they were not supposed to be able to access. In November, the AD reported about employees who were unauthorized to peek at the data of BNers.
The ICT systems of the GGD are two different programmes: CoronIt contains data from some 5.5 million people who have been tested. HPZone contains data from about 1 million people who are present in a source and contact study. Both systems were accessible to tens of thousands of employees of the GGD and call centres.
On 25 January RTL Nieuws reports that personal data have been obtained due to a leak in the GGD systems. Data is misused and traded.
The Ministry and the GGD meet on 28 January on the leak. The report shows that the GGD calls it an “extremely annoying incident with data theft stable”. The button for exporting data from HPZone is already disabled. The GGD says its busy closing the gap, but thats not very easy. The print function remains on until 30 January.
The officials write in the report that more rapid action could have been taken retrospectively. Some time has been wasted by setting up a dedicated working group, but it is “crucial now to know what we need to solve in the short, medium and long term.”