In a major security incident, an employee at Justis, a department of the Dutch Ministry of Justice and Security, falsified multiple reports regarding the department’s DigiD connection.
What is DigiD?
DigiD stands for Digital Identification, a system used in the Netherlands to verify the identity of citizens online. It allows individuals to access services from various government organizations, including tax return submission, address changes, and more.
Falsification Discovered in Justis Department
A Justis employee, part of the Dutch Ministry of Justice and Security, has been found to have falsified multiple security reports relating to the department’s DigiD connection. The minister for Legal Protection, Weerwind, recently reported this alarming incident to the House of Representatives.
Role of the Dutch Government Audit Service (ADR)
The Dutch Government Audit Service (ADR) serves as the internal auditor of the government and conducts investigations on various matters, including providing advice on information security. The ADR had been commissioned by Justis to investigate the security of the DigiD connection in use.
DigiD and Its Annual Security Assessment
Organizations using DigiD must undergo an annual ‘security assessment‘. This ensures the DigiD link to the organization’s web application meets security requirements. Justis, a government body, is responsible for assessing the trustworthiness of individuals and organizations, including issuing Certificates of Conduct (VOG) which employers can request from their staff.
Discrepancies in Security Assessments
The ADR investigation was specifically focused on the ‘Digital Applications’ web environment of Justis. Through this web application, it’s possible to apply online for a Certificate of Conduct (VOG) and various other Justis products. Users must log in via DigiD. However, discrepancies were discovered in February between the DigiD security assessments provided by the ADR to Justis, and the ones submitted by Justis to Logius, the DigiD manager.
Forensic Findings: Altered Reports
Digital forensic investigation revealed that between 2018 and 2022, eleven reports were either modified or falsified. All subsequent comprehensive reports following the first complete, unaltered report in 2018 were altered, with all four improvement reports fabricated.
Other Affected Service: Suwinet
The investigation also discovered that audit reports from another service, Suwinet, used by Justis, were altered. Suwinet is a service that allows government organizations to digitally share citizen and business data securely and swiftly. In 2020, a Suwinet report was modified, and in 2021 and 2022, two reports were falsified.
Actions Against the Implicated Employee
Investigators traced the alterations and falsifications to a single Justis employee. “After careful investigation, measures have been taken against the employee. The employee is no longer employed by the government,” stated Minister Weerwind.
Ensuring Safety: (Re)Audits and Ongoing Investigations
Several (re)audits of the relevant systems have since been conducted. While there seems to be no sign of significant risks or vulnerabilities, ongoing investigations aim to definitively rule this out.
Sources:
- https://www.security.nl/posting/799578/Ambtenaar+vervalste+meerdere+rapporten+over+beveiliging+DigiD-aansluiting
- https://www.rijksoverheid.nl/documenten/kamerstukken/2023/06/13/tk-uitkomst-onderzoek-naar-aanleiding-van-signaal-over-rapporten-van-de-adr-in-relatie-tot-justis-en-digid
- https://www.logius.nl/domeinen/toegang/digid/ict-beveiligingsassessments-digid/ict-beveiligingsassessments-digid-in-het-algemeen
- https://www.security.nl/posting/789266/Minister+komt+met+onderzoek+na+verschillen+tussen+beveiligingsrapporten+DigiD
