In a significant breach of privacy, all Dutch ministries have reported a datalek affecting government websites, resulting in the exposure of personal data of civil servants. The leaked information includes names, usernames, and in some cases, phone numbers, which were not adequately removed from documents uploaded to various ministry websites.
The Ministry of the Interior disclosed the incident in a letter to Parliament, emphasizing that the consequences of the breach are challenging to assess due to the rapid dissemination of information through the media. State Secretary Zsolt Szabó addressed the issue, stating that the leak occurred during the uploading of documents, which should have been stripped of sensitive information before publication.
Initial analyses indicate that approximately 23 percent of the published documents failed to have personal data removed. This alarming statistic was revealed as part of ongoing investigations into the extent of the datalek, which has affected documents published on platforms such as open.overheid.nl, Rijksoverheid.nl, and Overheid.nl.
According to Szabó, names of civil servants were visible in the metadata of 100,000 out of 500,000 documents examined. This metadata included not just names but also usernames and, in a limited number of cases, phone numbers. The documents consisted of various types, including policy notes, reports, and materials shared under the Government Information (Public Access) Act.
The issue arose because metadata from documents remained intact when converted to PDF format, allowing sensitive information to be inadvertently published. Szabó noted that the problem was not limited to the Rijksoverheid's publication platforms, as all ministries have made preliminary reports of this datalek to the Personal Data Authority, a requirement for breaches of this magnitude.
On April 8, 2025, the ministries of the Interior and Housing and Spatial Planning were among the first to notify the Personal Data Authority about the leak. Following this, a central disaster team was established, led by the Chief Information Security Officer (CISO) of the government, to coordinate a comprehensive response to the breach.
Szabó expressed his regret that news of the leak had circulated before the affected employees and members of Parliament could be informed. He emphasized the importance of understanding the full scope of the issue and implementing necessary measures to mitigate the impact.
In response to the breach, immediate measures have been taken to prevent the publication of unwanted metadata in future documents. Additionally, a plan of action is being developed for documents that have already been made public, which may involve temporarily removing certain documents from the websites.
Despite these efforts, the Ministry of the Interior acknowledged that personal data could still be present in older documents. Ministries have the option to take such documents offline temporarily as a precautionary measure.
The ongoing investigations aim to analyze the situation further and assess the risks associated with the data leak. As the situation develops, authorities are also in contact with other governmental bodies to determine if similar issues exist on their websites.
Szabó reassured that measures are being implemented to address the problem for the future, stating, "The problem has been resolved for the future." However, the full extent of the data breach remains unclear as investigations continue.
This datalek has raised serious concerns about the handling of sensitive information within government bodies and the potential implications for the privacy of civil servants. As authorities work to rectify the situation, the focus will be on ensuring that such breaches do not happen again.
The incident serves as a reminder of the critical importance of data protection and the need for stringent measures to safeguard personal information in an increasingly digital world.
