A major data leak has impacted the Dutch government, exposing private information from civil servants across all ministries. The leak occurred on government websites, including rijksoverheid.nl, openoverheid.nl, and overheid.nl. Metadata attached to approximately 100,000 of the 500,000 documents reviewed revealed the names of civil servants. The Open Government Act (WOO) publishes and shares documents such as policy notes, reports, and memoranda with the public.
When the documents were converted into PDF format, the metadata embedded in the files included details about which officials and civil servants edited the documents. This metadata often contained names or usernames, and in some cases, even telephone numbers.
Since the discovery of the issue last week, the government has taken steps to prevent further occurrences. However, older documents may still contain personal data.
“Initial analyses indicate that approximately 23% of the published documents contain incorrectly filled-in metadata fields. We are continuing to investigate and expect this issue to extend beyond central government platforms,” Szabó wrote.
The investigation into the full scope of the data leak is ongoing. The Ministry of the Interior discovered the leak during an internal audit and reported the incident to the Dutch Data Protection Authority on April 8. The Ministry of Housing and Spatial Planning also reported the breach, with five other ministries later joining in. The remaining six ministries contacted the regulator independently.
“I regret that the public learned about this data leak through the media before our employees or Parliament were informed,” Szabó stated in his letter to the chair of the Tweede Kamer, the lower house of Parliament. “We first needed to assess the size and impact of the issue, determine the necessary measures, and shield as much personal data as possible.”
The Ministry of the Interior contacts other governments, anticipating that other government websites have been affected by the same problem.
