Thursday’s major data breach occurred during the upload process to the government website. As a result, the personal data of civil servants has inadvertently remained visible.
NOS journalist Joost Schellevis has discovered this. The core of the problem lies in the upload process. Documents contain metadata such as the name of the author. When published on government sites, this information should be removed to protect the civil servants’ privacy. However, this did not happen with uploads to the central government site, as a result of which civil servants’ personal details remained visible.
It is striking that the metadata of documents uploaded to the House of Representatives site was removed correctly. Why this difference exists is still unclear. It could be a technical error in the system or possibly a human error when manually uploading documents.
Potential risks for civil servants
The seriousness of this data breach depends greatly on the nature of the documents and the civil servants involved. In the case of sensitive policy documents, it may be undesirable for the author to be known. A civil servant working on controversial subjects may prefer to keep it secret.
Although there are no known cases yet where civil servants have suffered any disadvantage, the ministries involved are taking the matter seriously. The Ministry of the Interior and Kingdom Relations has confirmed that it has initiated an official data breach procedure and that the Dutch Data Protection Authority has been called in.
In the coming days, it should become clear how extensive the breach is and which ministries, besides the Ministry of the Interior and Kingdom Relations, the Ministry of Economic Affairs, and the Climate Policy and Green Growth are also involved. A special team is investigating the exact scope and impact of the incident.