More than a year ago, de Volkskrant revealed that KPN’s wiretapping system did not meet the legal security requirements. After an investigation, the Telecom Agency has concluded that KPN has indeed acted in violation of the law. This mainly concerns the control and authorization of third-line, external, administrators. This is partly why it imposes a fine of 450,000 euros on the provider. Of course, the provider can still object to the fine. That should
Unauthorized, unrestricted and uncontrolled access
The so-called interception system is used to store personal data and data of persons whose mobile or fixed telephone lines are intercepted by order of the judicial authorities. The system is said to be insufficiently secured, so that persons within the organization could gain unauthorized, uncontrolled and unlimited access to that personal data and data.
As a result of these revelations, the Telecom Agency (AT) started an investigation last year into the security of the exit system. The provider has since resolved the problems and also fully cooperated during the investigation. Nevertheless, the AT KPN has now imposed a fine of 450,000 euros for not having the security in order (for years).
“The investigation showed that a limited group of system administrators who had access to the systems did not have the required Certificate of Good Conduct (VOG) and a non-disclosure agreement. Moreover, these people did not have a personal account. As a result, their individual actions could not be properly tracked and registered,” said John Derksen, head of Supervision of the Telecom Agency.
The full report of the investigation and the fine, minus a whole lot of confidential passages, can be read here (pdf)