VRT: audits warned in 2021 and 2020 for Antwerp’s IT security

The city of Antwerp had been warned in two audits about the poor security of the city’s computer systems. For example, the city used outdated software and had a weak password policy. The city is still suffering from a December hacking attack.

VRT was given access to two audits conducted in 2020 and 2021, in which the security of the computer systems was assessed. Both audits show that the computer systems were vulnerable. For example, not all systems had multifactor authentication set up and there was no strong password policy. The audits also talk about too many users who have too many rights and Windows software that has not been supported since 2015.

If a hacker were to gain access to the computer systems of the city of Antwerp, they could also gain direct access to documents, according to the audits. For example, during the audits there were at least 138 shared folders with ‘a lot’ of personal data that could be accessed by ‘standard users’. This concerned medical certificates, disability certificates and payslips with personal data. Furthermore, the city’s data protection officer wrote in the 2021 annual report that an information security plan with recommended actions and measures is “gathering dust.”

As a result of the audits, the city decided to improve security and, for example, a cybersecurity program was started in October 2021. According to VRT, that program stated that ‘with the current technical backups there is no guarantee of a minimum service’ after a hack. That’s why the city switched to locally backing up important computer systems. A cloud backup was seen as too expensive.

That cybersecurity program was delayed at the end of 2022. For example, the improved password policy, multi-factor authentication and restricting access rights had not yet been fully implemented. At the beginning of December 2022, the city was hit by a cyber attack. In that hack, 557GB of data was stolen, including private data from Antwerp residents. In addition, residents were limited in arranging digital affairs and the city could no longer collect parking fines, for example. Almost three months after the attack the city is still affected by the hack.