WhatsApp accounts of the Senate and the House of Representatives were taken over last year

Last year, criminals took over WhatsApp accounts from both Senate and Lower House members and government officials. Information security is also not yet in order at many government organizations, the Court of Audit concludes.

WhatsApp accounts have been taken over from at least five MPs, a Member of the Senate, top officials from the Ministry of Economic Affairs and Climate Policy and various employees from almost all ministries. The Court of Audit concludes this in its accountability audit. According to the report, the hackers in these cases were about money, but it is conceivable that it could also have been information.

In the report, the Court of Audit outlines which method criminals use to gain access to WhatsApp accounts of civil servants. It is the way in which an attacker logs into WhatsApp with the victim’s phone number and then tries to obtain the verification code by posing as an acquaintance.

WhatsApp is advised against by the government for business use and no sensitive information may be shared with it. Nevertheless, many civil servants use the chat app, not only for private purposes, but sometimes also for work, the Court of Audit concludes. Government ICT help desks do not support WhatsApp. According to the authority, a disadvantage of this is that not all account acquisitions and attempts to do so are reported.

Information security not in order

According to the Court of Audit, eleven of the eighteen organizations surveyed do not yet have their information security in order and there is no improvement overall compared to 2019. Mass teleworking in 2020 also brought new risks.

The report does state that progress has been made in recent years. Almost all organizations that did not have their information security in order in 2019, will have done this in 2020. However, this has not yet yielded enough to ‘control the risks sufficiently’. The Court of Audit concludes that this also applies to its own information security.

Potential data leak from the Ministry of Foreign Affairs

As a result of the inadequate information security, the Ministry of Foreign Affairs may have had a data breach. During an investigation into the repatriation of travelers stranded abroad, the Court of Audit came across lists with names, addresses, dates of birth, telephone numbers, bank and insurance details of eighteen thousand people.

All employees with a Ministry of Foreign Affairs account could access that data, instead of a small number of authorized representatives. That data breach was closed and, according to additional research, it appeared that only authorized persons had consulted the information.

In response to the potential leak, further investigation was conducted into information security at the ministry, which revealed that access to confidential documents was not properly protected. Searching with keywords such as ‘private’ yielded confidential documents, including minutes of private meetings, and an overview of usernames and login codes for an embassy’s social media.