In 2020, there were several information security incidents at ministries and the High Colleges of State. WhatsApp accounts of both Senate and House of Representatives members and ministry officials were taken over by criminals, there was a possible data breach at the Ministry of Foreign Affairs, and the secure use of applications for video meetings was insufficiently guaranteed.
Worldwide, governments are targeted almost daily by cyber attacks, and so is the public sector in the Netherlands. Mass home working in 2020 brought new risks. In light of these and other permanent threats, the Court of Audit judges the information security of ministries and High Institutions of State. At 11 of the 18 organizations examined, it is not yet in order.
The government-wide investigation into information security reveals that last year criminals succeeded in hacking the WhatsApp accounts of at least five members of the House of Representatives, one member of the Senate, top officials of the Ministry of Economic Affairs and several employees of almost all ministries. The attackers were after money, but it is conceivable that information could also have been involved. This underlines the importance of permanent attention and awareness for secure use of WhatsApp at all levels within the national government.
Possible data breach at State Department
The Court of Audit found a possible data breach at the Ministry of Foreign Affairs. It involved personal data such as names, addresses, bank details and medical information of over 18,000 people who were abroad during the corona crisis and wanted to return to the Netherlands. These personal data should have been accessible only to a small group of authorized persons, but turned out to be viewable by many other employees of the Ministry of Foreign Affairs. The ministry closed the data breach. Additional technical investigation revealed that in practice only authorized persons had accessed the information.
The incident led to further investigation into the broader issue of information security at the ministry. The Court of Audit subsequently found a similar risk with another Foreign Ministry ICT system. Searches using terms such as "private" and "secret" yielded confidential documents such as minutes from foreign posts and login information for an embassy's official Twitter account. This information was accessible to virtually all ministry employees. The data was later shielded based on the investigation.
Ministries also had to suddenly make massive use of video conferencing programs such as WebEx and MS Teams in 2020 due to the corona crisis. The Court of Audit understands the circumstances under which video calling was made possible, but also points out that organizations of the national government should explicitly consider the risks around information security when commissioning a new application and take measures to ensure secure use. In many cases, this was not done or was done late.
Virtually all organizations that did not have these and other aspects of information security, such as incident management, risk analysis and system design, in place in 2019 have addressed them in 2020. However, this has not yet resulted in control of the risks. The Court of Audit finds that the line ministries are not yet sufficiently fulfilling their duty to provide information to the Minister of the Interior and Kingdom Relations in order to improve information security government-wide on the basis of the risks present per ministry. For this reason, the Court of Audit repeats last year's recommendation to the Minister of the Interior and Kingdom Relations to hold the line ministers accountable for this.