© 2025 CoolTechZone - Latest tech news,
product reviews, and analyses.

Dutch Secretary: ‘NCSC shared sensitive information without legal basis’


The National Cyber Security Centre (NCSC) has shared sensitive information with Canada, Japan, the United Kingdom and the United States without a legal basis to do so.

In a letter addressed to the House of Representatives of the Netherlands, Secretary of Justice and Security David van Weel says the Dutch cybersecurity authority only shared IP addresses of FortiGate systems that were possibly infected with advanced Chinese malware.

This so-called COATHANGER campaign abused a known vulnerability in FortiGate systems to infect them with malicious software (CVE-2022-42475). In just a couple of months, Chinese state-sponsored hackers were able to access over 20,000 FortiGate systems worldwide, including a stand-alone system of the Dutch ministry of Defense.

At the request of the NCSC, the Military Intelligence and Security Service (MIVD) has drawn up a list of IP addresses of FortiGate systems to which the threat actor possibly gained access. This information has been shared with the NCSC to inform victims about the infection so they could take adequate countermeasures.

The NCSC in turn handed this information over to several European member states, but also four non-European countries, namely Canada, Japan, the United Kingdom and the United States. For the latter, there’s no legal basis that approves this kind of information transfer.

According to secretary Van Weel, the NCSC initiated this information exchange due to the seriousness of the FortiGate cyber espionage campaign. Later on it turned out to be without legal basis.

“The spyware used is very difficult to recognize within a network without knowing exactly in which system it is located. Therefore, providing specific IP addresses is necessary to be able to take adequate countermeasures, as was done in this case,” the secretary says.

IP addresses are considered sensitive information, because they can be used to trace back to specific organizations and even individuals. Sharing IP addresses to non-European Computer Security Incident Response Teams (CSIRTs) is therefore not allowed. Because it’s hard to say whether personal information was distributed, Secretary Van Weel informed the Dutch data protection authority (DPA) about the incident.

To make sure this doesn’t happen again, the NCSC has tightened its work process for information sharing. The institution will also start a training program revolving around information sharing for its employees that deal with this kind of work.


Leave a Reply

Your email address will not be published. Required fields are marked