Select Page
Why do the Dutch government keep making these blunders?
January 28, 2021

How could two employees of The Dutch municipal health organization for preventive healthcare GGD steal millions of personal data from Dutch citizens and start selling them in the open market?

The Background?
In the Netherlands about 8 million coronavirus tests has been done. In addition, there are over 800 thousand source and contact tracing carried out. All this information is stored in the GGD databases which contains personal information of all those that have participated in any coronavirus related GGD exercises.

What Went Wrong?

It happened that GGD employees could do a search of specific persons or a complete dump of the database. The idea was to enable an employee to quickly find the test result quickly of any person in the database.

Employees then do a global search and export the result to an external file which could then be downloaded, forwarded to anybody within or outside the GGD.

Apparently, this outer disregard to privacy has been going on for months at the GGD. Apparently about 26,000 employees and call centre employees had access to the database. From these, 8000 of them had access to the source and contact tracing information. It is unclear how many of these people could export the content of the entire database.

The Bad News

The data leak contains full name, email address, home address, telephone numbers and social security numbers, gender, date of birth. Medical records and the contact trace information. In fact, the data haul contains all you need for an identity theft and for potential blackmail.

How Often does such things happen?

Unfortunately, data leakage at government institutions in the Netherlands is very common, but such a malicious event where you have the private data of citizens leaked from the government being sold in the open market is not very common.

In March last year a data leak was discovered at the infection radar of the National Institute for Public Health and the Environment (RIVM). This body is responsible for the handling of the Coronavirus management in The Netherlands. Due to poor security programming non-technical users could see the information filled in by other users.

It seems many government organizations have not really taken data loss prevention and Zero trust security as very important yet. Otherwise, it is mind-bending to imagine how these employees could not only see all personal data of citizens but do a search of someone in the database and finally able to dump the result to a file and forward it out of the organization without a red light going off.


Data loss prevention training for your organization

Training programs to help your organization prevent data loss.

More Articles

Surviving Identity Theft

Surviving Identity Theft

What is Identity Theft? Identity theft happens when a criminal steals information about you and uses that information to commit fraud, such as requesting unemployment benefits, tax refunds, or a new loan or credit card in your name. If you don’t take precautions, you...

Securing Wi-Fi At Home

Securing Wi-Fi At Home

Overview  To create a secure home network, you need to start by securing your Wi–Fi access point (sometimes called a Wi–Fi router). This is the device that controls who and what can connect to your home network. Here are five simple steps to securing your home Wi–Fi...