KPN was told today that it must pay a fine of 450,000 euros. The reason for the fine is that the security of the interception system did not meet legal requirements. The shortcomings have since been rectified.
Telecom Agency announces the fine via a press release (1).
The investigation was prompted by an April 2021 article in the Volkskrant newspaper about possible spying and eavesdropping practices by Huawei. The newspaper wrote that for years the Chinese technology company had "unauthorized, uncontrolled and unlimited" access to KPN's mobile networks. The company allegedly eavesdropped on several Dutch government officials in this way.
Huawei also allegedly had access to a database containing customer and billing information of Telfort customers. "Huawei could have accessed customer data and if they wanted to they could have forwarded everything to China. There was just never an investigation into exactly what they copied," an insider told me about the issue at the time.
KPN has always denied that Huawei had penetrated the core of its network. The tech company from China has always denied the allegations of spying. Anonymous sources claim that the network equipment manufacturer still has access to all of KPN's systems.
Based on these reports and accusations, Agentschap Telecom decided to conduct an in-depth technical investigation into the current security of KPN's interception facility. That system contains information about persons being tapped. This is commissioned by the Public Prosecutor, General or Military Intelligence and Security Service (AIVD and MIVD).
The investigation shows that KPN did not take sufficient security measures to protect the interception system from unauthorized access. Because state secret information may be at stake in the interception facility, the government imposes strict requirements on those who have access to the system. For example, employees must be able to provide a Certificate of Good Conduct (VOG). They must also sign a non-disclosure agreement to access sensitive information.
"The investigation shows that KPN has adequately secured 'the front door' to its systems. No one other than KPN decides who gets access to the systems," says John Derksen, head of supervision at the Netherlands Radiocommunications Agency. "However, the investigation also shows that a limited group of system administrators who had access to the systems did not have the required Certificate of Good Conduct (VOG) and a confidentiality agreement. Moreover, these individuals did not have a personal account. As a result, their individual actions could not be properly tracked and recorded."
For this violation, the Telecom Agency is handing out a fine of 450,000 euros to KPN. The telecom regulator says KPN cooperated fully with the investigation. The provider has taken measures to bring the security level of the interception system up to standard. The authorization process has been improved and all system administrators have the required documents.
"Agency Telecom has seen essential parts of the improvements and the remaining improvements will be checked in the regular inspection process under the tightened duty of care," the agency said. However, it is insufficient for KPN to get out from under the fine of nearly half a million euros.
"The security and integrity of telecom networks are vital to our society and our economy. This is what the agency's employees are committed to every day," the Agency writes. The goal of the investigation into the security of the interception system is to make the telecom sector -and thus society- resilient against current and relevant threats.
https://www.agentschaptelecom.nl/actueel/nieuws/2022/08/30/tekortkomingen-in-beveiliging-van-aftapvoorziening-kpn
