WhatsApp accounts of members of the Senate and House of Representatives were taken over last year

Criminals took over WhatsApp accounts of both Senate and House members and officials of ministries last year. The Court of Audit concludes that information security is also not yet in order at many government organisations.

WhatsApp accounts have been taken over from at least five members of the House of Representatives, a member of the Senate, top officials from the Ministry of Economic Affairs and Climate and various employees of almost all ministries. The Court of Audit concluded this in its accountability audit. According to the report, the hackers in these cases were money, but it is conceivable that it could also have been information.

In the report, the Court of Audit outlines which method criminals use to gain access to the WhatsApp accounts of civil servants. It involves the way in which an attacker logs into WhatsApp with the victim’s phone number and then tries to retrieve the verification code by posing as someone known.

WhatsApp is discouraged by the government for business use and should not share sensitive information. Nevertheless, many civil servants use the chat app, not only for private purposes, but sometimes also for work, the Court of Audit concludes. Government IT helpdesks do not support WhatsApp. According to the agency, a disadvantage of this is that not all takeovers of accounts and attempts to do so are reported.

Information security not in order

According to the Court of Audit, eleven of the eighteen organizations surveyed do not yet have their information security in order and there is no improvement across the board compared to 2019. The massive working from home in 2020 also brought new risks with it.

However, the report does state that progress has been made in recent years. Almost all organizations that did not have their information security in order in 2019, have made it work in 2020. However, that has not yet yielded enough to ‘adequately manage’ the risks. The Court of Audit also concludes that this also applies to its own information security.

Potential data breach Ministry of Foreign Affairs

There may have been a data breach at the Ministry of Foreign Affairs as a result of poor information security. During its investigation into the repatriation of travelers stranded abroad, the Court of Audit came across lists of names, addresses, dates of birth, telephone numbers, bank and insurance details of eighteen thousand people.

All employees with an account of the Ministry of Foreign Affairs could access this data, instead of a small number of authorized representatives. That data breach has been sealed and, according to additional research, it would have been found that only authorized persons had consulted the information.

As a result of the potential leak, further investigations were conducted into information security at the Ministry and it appeared that access to confidential documents was not properly protected. Searching with keywords such as ‘private’ yielded confidential documents, including minutes of closed meetings, and an overview of usernames and login codes for an embassy’s social media.