How could two employees of The Dutch municipal health organization for preventive healthcare GGD steal millions of personal data from Dutch citizens and start selling them in the open market?

The Background?
In the Netherlands about 8 million coronavirus tests has been done. In addition, there are over 800 thousand source and contact tracing carried out. All this information is stored in the GGD databases which contains personal information of all those that have participated in any coronavirus related GGD exercises.

What Went Wrong?

It happened that GGD employees could do a search of specific persons or a complete dump of the database. The idea was to enable an employee to quickly find the test result quickly of any person in the database.

Employees then do a global search and export the result to an external file which could then be downloaded, forwarded to anybody within or outside the GGD.

Apparently, this outer disregard to privacy has been going on for months at the GGD. Apparently about 26,000 employees and call centre employees had access to the database. From these, 8000 of them had access to the source and contact tracing information. It is unclear how many of these people could export the content of the entire database.

The Bad News

The data leak contains full name, email address, home address, telephone numbers and social security numbers, gender, date of birth. Medical records and the contact trace information. In fact, the data haul contains all you need for an identity theft and for potential blackmail.

How Often does such things happen?

Unfortunately, data leakage at government institutions in the Netherlands is very common, but such a malicious event where you have the private data of citizens leaked from the government being sold in the open market is not very common.

In March last year a data leak was discovered at the infection radar of the National Institute for Public Health and the Environment (RIVM). This body is responsible for the handling of the Coronavirus management in The Netherlands. Due to poor security programming non-technical users could see the information filled in by other users.

It seems many government organizations have not really taken data loss prevention and Zero trust security as very important yet. Otherwise, it is mind-bending to imagine how these employees could not only see all personal data of citizens but do a search of someone in the database and finally able to dump the result to a file and forward it out of the organization without a red light going off.

Impressive.