Software the government uses for videoconferences can be hacked, says minister

The software the central government uses for videoconferences can be hacked, reports outgoing State Secretary Alexandra van Huffelen (Digitalization). his made it possible to retrieve certain data from at least six members of the government, but they were probably not intercepted. The security gaps have since been fixed.

On Tuesday, the German newspaper "Die Zeit" discovered the security vulnerabilities and informed the Dutch government. So-called metadata from video meetings and several ministers could be found through holes in the software. This concerns "at least the title of the meeting, the organizer/host, time of the meeting, and the meeting ID (a random number)."

As far as is now known, data from video conferences of several ministers, such as Mark Harbers (Infrastructure and Water Management), Conny Helder (VWS), Hugo de Jonge (Home Affairs and Kingdom Relations), Franc Weerwind and Dilan Yeşilgöz (Justice and Security) and Van Huffelen could be accessed through the leak.

The software comes from the American company Cisco. He did not inform the central government directly. "I find it unacceptable that this could have happened and that these vulnerabilities in the central government came to us via the German media instead of via the supplier," the minister wrote to the House of Representatives.

A source from "Die Zeit" was able to listen in on some German meetings. "Given how the Dutch National Video environment is set up, it is unlikely that this has also happened to us; this is being investigated further," says Van Huffelen. She has informed the Dutch Data Protection Authority (AP) of the leak.

Because the leak has been resolved, the central government can continue using the software, except for "discussions classified as highly confidential or where state secret information is discussed." Cisco must explain the leak to the ministry on Thursday and why the central government was not informed earlier.

Cisco says on its website that it has been aware of the security vulnerabilities since early May. Customers against whom "observably successful attempts" have been made are said to have been notified by the company. Cisco also states through a spokesperson that it has taken action against the security problems and that an investigation is ongoing. The company and the spokesperson did not respond to Van Huffelen's criticism.