Tax Authority data mismanagement: details of thousands of Dutch leaked

Belastingdienst tax blue envelope
Euros on the well-known "blue envelope" sent by the Belastingdienst, the Dutch tax officeJoeppoulssenDepositPhotosDeposit Photos

An important department of the Dutch Tax Authority did not properly handle personal data of citizens and companies, according to several investigations into security in the Data & Analytics Department. As a result, the personal data of tens of thousands of Dutch leaked in various ways, including being sent to third parties or taken home by employees. The investigations also found that tax employees searched for information about individual tax payers, RTL Nieuws reports.

Investigations were launched by the government's internal auditor, the Tax Authority itself and the Personal Data Authority following a report by Zembla saying that the data of 11 million taxpayers and 2 million companies were insufficiently secured in the period between 2013 and 2016. The Tax Authority initially denied this report, but at the insistence of the Tweede Kamer, responsible Finance State Secretary Eric Wiebes ordered an investigation.

The investigation carried out by the Tax Authority itself showed that data was indeed not well protected between January 2012 and February 2016. A second investigation into the period between February 2016 and February of this year showed that the personal data of tens of thousands of Dutch left "the safe environment of the Tax Authority", according to the broadcaster.

For example, in July 2016 the Tax Authority sent income tax data from 2011 of 50 thousand Dutch to an email address outside the Tax Authority. Which email address is not clear. In December of 2016, the Tax Authority sent an attachment containing details about the income, tax debts and bank deposits of 250 Dutch to "an email account of a company". A tax employee sent an attachment containing data about the sales tax of 11 thousand companies to another company. And data is stored on an external Amazon server.

A sample analysis of the Tax Authority's email program found 21 emails containing attachments or subjects with a worrying name. Exactly what was sent is unclear. Four emails were deleted by the sender him- or herself, and the other 17 were deleted because the sender no longer works at the Tax Authority. Another sample analysis revealed that employees searched for data on three individual citizens, including a well-known person that the Tax Authority describes as a VIP. 

The investigation also revealed that it is impossible to verify whether outside IT workers dealt properly with the Tax Authority data they had access to while working on computers, or whether they leaked it. It cal also not be verified whether data on an external hard drive given to a company was made anonymous. And the investigators could not find out whether this data was well protected and eventually destroyed. 

Previous warnings about the risks of data leaks were ignored. It was possible to send data directly from the Tax Authority's software by email. And employees were able to send data from their work computer by email, or copy it to usb. 

In a letter Wiebes sent to the Tweede Kamer with the outcomes of these investigations, he wrote that data was taken from the tax offices because employees wanted to work at home. "That is against the rules and unacceptable", he wrote. But he emphasized that no evidence was found that the personal data was used for anything other than work. The Public Prosecutor, which also investigated the situation, agrees with that statement. 

The Personal Data Authority's investigation is still ongoing. A spokesperson told RTL Z that they are "certainly interested" in the results of the other investigations. "We are going to study the reports."

Wiebes is debating the outcomes of these investigations, as well as the Tax Authority's struggling reorganization, with the Tweede Kamer on Wednesday next week.