Dutch regulator fines Vodafone €2.25 mil. for poor security in wiretapped conversations

The National Digital Infrastructure Inspectorate (RDI) has fined Vodafone 2.25 million euros for not properly securing its wiretapping system. According to the Dutch regulator, Vodafone’s security of this system, which could contain state secrets or criminal information, did not meet the legal requirements in several areas.

In the Netherlands, wiretapping is only allowed under strict conditions and on the orders of the Public Prosecution Service (OM) or the intelligence services AIVD or MIVD. Dutch law also sets strict requirements on telecom providers’ wiretapping systems because these systems can contain sensitive information.

Telecom companies must properly secure the physical space in which their wiretapping system is located, secure access to the system, and prevent information from the system from reaching unauthorized persons.

According to the RDI, Vodafone’s security plan did not meet the requirements. The telecom provider also did not properly screen the personnel who had access to the system. “A large number of them lacked an adequate job description, a signed confidentiality statement, and a certificate of good conduct,” the inspectorate said.

The physical security of the system itself was also inadequate, making it vulnerable to unauthorized access, the RDI said. However, it stressed that its investigation found no indications that anyone gained unauthorized access to wiretapping data.

Vodafone has since taken action to get its security in order and eliminate the risks of unauthorized access to wiretapping data, the inspectorate said.