Dutch prosecutor disconnects internal systems from internet over vulnerability

The Public Prosecution Service (OM) has disconnected all internal systems from the internet. The reason for this is a warning from the National Cyber Security Centre (NCSC) that there is "a vulnerability" in the system that gives users access to the office automation system, the Citrix NetScalers.

"A thorough analysis of the OM’s systems has provided reason to believe that this potential vulnerability was indeed exploited," a spokesperson confirmed.

Employees are temporarily unable to log in to the OM’s system. The OM cannot yet say what consequences this may have for criminal cases, as prosecutors are unable to log into the systems during hearings.

Despite this, it seems to be the case that the trials scheduled for Friday will continue. “If the OM is unable to attend a hearing, they notify the court. The court then makes a decision. Several courts are printing the case files for the prosecutors so that hearings can still go ahead.” The spokesperson for the Council for the Judiciary says they have not yet heard of any criminal hearings being postponed.

A warning about this issue has been circulating for a while. The NCSC already issued a warning in June and early July, which included the statement: “Cyber criminals could exploit the vulnerability to gain unauthorized access to certain parts of the system.” The spokesperson has not yet answered whether this was also the case at the Public Prosecution Service.

Justice minister David van Weel has written a letter about the security issue to notify the Tweede Kamer, the lower house of Dutch parliament. He added that the OM has notified their employees through an internal message.

The OM had to deal with a network outage at the end of March, which caused problems for days. Employees were also unable to log in during that time. Whether that incident had the same cause is unknown.