Dutch regulator imposes € 2.25M fine on Vodafone for insecure tapping system

The Dutch Authority for Digital Infrastructure (RDI) has fined Vodafone for € 2.25 million for insufficiently securing its tapping system.

A tapping system contains information about people or organizations that are being tapped. This is the case when communication from organizations or its employees is intercepted, including reading messages sent via text message, chat or email.

Tapping takes place under strict conditions and only if the Public Prosecutor, General Intelligence and Security Service (AIVD) or Military Intelligence and Security Service (MIVD) orders it.

By tapping an organization’s communication, it’s possible to obtain sensitive information, like criminal intelligence or government secrets that can pose a threat for national security. That’s why strict requirements are imposed on security, both to the physical space the system is located and to access to the automated systems.

In addition, organizations that keep track of intercepted messages must implement organizational safety measures to prevent unauthorized access.

The Dutch Authority for Digital Infrastructure (RDI), the regulator that oversees that everyone complies with the rules, requirements and conditions that ensure the availability and reliability of the digital infrastructure in the Netherlands, has conducted an investigation into Vodafone’s tapping system.

The RDI came to the conclusion that Vodafone’s tapping system was inadequately secured in several ways.

First of all, the telephone company is required by law to formulate a security plan, in which it describes how the company intends to comply with its security obligations. The plan must also indicate which security measures are taken to secure the tapping system. Vodafone’s security plan didn’t meet these requirements.

Furthermore, the investigation showed that the staff members who had access to the tapping system had not been properly screened. A large number of them lacked an adequate job description, a signed confidentiality agreement and a Certificate of Conduct.

Lastly, the physical security of the tapping system itself appeared to be inadequate, which made it vulnerable to unauthorized access. For example, there was no blocking when exceeding three incorrect login attempts, and no external logging and detection was enabled.

According to the RDI, there’s no evidence for unauthorized access to the tapping system or tapping data. All things considered, the Dutch regulator decided to impose a € 2.25 million fine.

Vodafone has taken action to improve the security of its tapping system. The RDI says that all the risks of unauthorized access to tapping data have been eliminated.