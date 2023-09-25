The controversial cyber attack on the KNVB may continue. The Dutch Data Protection Authority (AP), the supervisory authority in the field of personal data, is currently in discussions with the football association about the sensitive issue, a spokesperson said. It is unclear whether it will lead to sanctions. An authority from the security world believes that a fine is appropriate in any case.

AP chairman Aleid Wolfsen accuses the KNVB of maintaining a ‘reprehensible revenue model’ by doing business with criminals. The football association probably paid Russian cyber criminals more than a million euros to recover captured data containing personal data. The privacy watchdog is currently in discussions with the KNVB about the state of affairs.

This does not specifically concern paying a ransom, the AP emphasizes. “That’s their choice. This is about the protection of personal data.” The KNVB should have reported the attack to the AP within 72 hours. The association claims to have done so immediately. As the past has often shown, a fine cannot be ruled out.

What happened?

On Saturday, April 1, a cyber attack took place on the IT network at the KNVB Campus in Zeist, the head office. The perpetrators were the infamous Russian hacker collective called LockBit. The Football Association released this news three days later. In that press release, the association stated that it was still investigating exactly what data had been stolen.

The KNVB made no announcements for months afterwards. Images shared online showed that more than 300 gigabytes of data had been stolen, an immense amount. This data, from passports to salary slips of Dutch players, would be released on April 26 if the association did not pay a ransom. The KNVB did not want to say anything about this for a long time. Five months later, the KNVB announced in an advertisement that a ransom had been paid and that there is still a chance that stolen information will still appear somewhere on the internet.

‘Error stacked upon error’

The KNVB could have prevented a lot of suffering if it had acted more alertly from the start, had been more transparent and had listened better to experts in the field, says Arwi van der Sluijs, an authority in the field of cybersecurity. His company, the Hague NFIR, was responsible, among other things, for the security control of the corona tracing app. Van der Sluijs immediately adds: "I do not blame the KNVB for being hacked. That happens to all of us. But I'm sure they piled mistake upon mistake from start to finish. I was not involved in this incident, but anyone who studies the timeline closely will see that there is ignorance and slow action here."

For example, Van der Sluijs states that the KNVB should have known much earlier which data was stolen. “Anyone who has set up their network properly will find out after a few hours.” If something is on fire, you should extinguish the fire as quickly as possible, says Van der Sluijs. “In our industry we are used to handling something like this within a few weeks. Not five whole months like here.”

"I am almost certain that the KNVB's slowness went against the advice of our colleagues," Van der Sluijs continues. "It seems that there has been an internal struggle about the course to be followed and that half measures have therefore been taken. It is administrative clumsiness at its finest. Tinkering from start to finish. The KNVB is large and rich enough to act on this immediately. But you just notice that they don't know much about tech. They don't understand it, they don't take it seriously, and then these kinds of things fester for far too long."

KNVB critical

The KNVB strongly denies this. “On the contrary: everyone involved worked together very professionally and intensively,” a spokesperson emphasizes. The KNVB is upset that Van der Sluijs, an authority in the field of security, is ‘apparently poorly informed’. “In fact, he admits that he is not familiar with the details at all. We did follow the recommendations of external experts from the very first moment. We did, with the help of two other expert parties, very extensively investigate which data might have been affected by the attack.”

This process is called ‘eDiscovery’ and is an intensive process that requires great care, says the KNVB. “Here too we acted in line with expert advice. In short: Van der Sluijs’ claims about us are patently incorrect.”