VRT: audits warned about IT security in Antwerp in 2021 and 2020

The city of Antwerp was warned in two audits about the poor security of the city’s computer systems. For example, the city used outdated software and had a weak password policy. The city is still suffering from a hacking attack from December.

VRT was given access to two audits that were carried out in 2020 and 2021, in which the security of the computer systems was examined. Both audits show that the computer systems were vulnerable. For example, not all systems had multi-factor authentication set up and there was no strong password policy. The audits also mention too many users who have too many rights and Windows software that has not been supported since 2015.

If a hacker were to gain access to the computer systems of the city of Antwerp, he could also immediately gain access to a lot of documents, the audits show. For example, during the audits there were at least 138 shared folders with ‘a lot’ of personal data that could be opened by ‘standard users’. This involved medical certificates, unsuitability certificates and pay slips with personal data. Furthermore, the city’s data protection officer wrote in the 2021 annual report that an information security plan with recommended actions and measures is ‘gathering dust’.

Following the audits, the city decided to improve security and, for example, launched a cybersecurity program in October 2021. According to VRT, that program stated that ‘with current technical backups there is no guarantee of minimum service’ after a hack. That’s why the city switched to locally backing up important computer systems. Cloud backup was seen as too expensive.

That cybersecurity program was delayed at the end of 2022. For example, the improved password policy, multi-factor authentication and limiting access rights had not yet been fully implemented. In early December 2022, the city was hit by a cyber attack. During that hack, 557GB of data was stolen, including private data of Antwerp residents. Residents were also limited in arranging digital affairs and the city could no longer collect parking fines, for example. Nearly three months after the attack the city is still suffering from the hack.