Dutch government illegally shared data about infected systems

Dutch government illegally shared data about infected systems

The Dutch National Cyber Security Center (NCSC) shared information about infected FortiGate systems in the Coathanger case with other countries without a legal basis. Because personal data may have been provided in the process, a data breach has been reported to the Dutch Data Protection Authority (AP). This reports Minister Van Weel (VVD) of Justice and Security in a recent Parliamentary letter.

According to the letter to the parliament, the NCSC deliberately shared information about infected Fortinet FortiGate systems with other countries without a legal basis for doing so. The information concerned Dutch FortiGate systems that had been compromised by a “Chinese state actor.” The data was shared with the United States, the United Kingdom, Canada, and Japan.

At issue was the “Coathanger” case, in which Chinese state hackers gained access to a stand-alone Defense Ministry network. The malware used looked for security vulnerabilities in Fortinet’s FortiGate systems. In 2022 and 2023, the Chinese gained access to at least 20,000 FortiGate systems worldwide.

Severity hack enabled sharing

In the letter, Minister Van Weel indicated that the severity of the Chinese cyber-espionage campaign made it necessary to share data with foreign colleagues anyway. Only later did it turn out that there was no legal basis for this.

By law, the NCSC may only share data with vital companies and the government in the Netherlands. In addition, data may be shared with the CSIRTs of EU member states and with intelligence and security services, which is what happened in this case. For countries outside the EU, which have now apparently received data anyway, law does not allow this.

The data shared consisted of lists, compiled by the MIVD, of IP addresses potentially compromised by hackers per individual country. Because personal data may have been shared during the process, the NCSC reported a possible data breach to the AP regulator.

Measures to be taken

Minister Van Weel has announced measures to prevent a recurrence in response to the unlawful sharing of data with countries outside the EU. For example, additional safeguards have been built into the NCSC to ensure the correct procedures are followed. This includes tightening technical and organizational measures. Also, the process for information sharing has been further improved, and employees are being better trained to keep the framework around information sharing constantly up to date.

On the technical front, measures are being taken to improve the automated recording of factual actions, improve the recording of decision-making, and further structure the transfer of cases between different officers.

The minister expects that the entry into force of the NIS2 directive will soon change the legal framework within which the NCSC operates. Within this EU directive, member states will have more opportunities to share (cybersecurity) data with countries outside the EU.

Read also: ‘AIVD is investigating possible Chinese espionage of Huawei in the Netherlands’.