Minister De Jonge: developer was unaware of the Infection Radar leak

Minister Hugo de Jonge now contradicts that the developer behind the Infection Radar knew about the data breach in which corona symptoms of others could be seen. It now appears that the RIVM had not noticed the data breach because a security check was not carried out.

The minister answered parliamentary questions about the issue that came to light last month. Then, after research by the NOS, it turned out that it was easily possible to see the corona symptoms of others by adjusting the url. The system works with a unique ID consisting of eight digits.

After the vulnerability was discovered, the Infection Radar website was taken down to work on a fix. Minister De Jonge then said that the problem had already been noticed by RIVM during the testing phase and had been passed on to developer Formdesk. The latter, however, contradicted that and reacted surprised to the statements. The answer to the parliamentary questions now shows that De Jonge has confused matters.

The RIVM has indeed reported a number of security problems to Formdesk, after which solutions were advised and implemented, but these did not prevent the problem with adjusting the URLs. According to De Jonge, after implementing the repairs recommended by Formdesk, an extra check should have been done by the RIVM to reveal the problem, but this was not done.

Infection radar is still offline, although it is possible to register. RIVM is conducting additional security checks, after which Infection Radar comes online again. When this is, however, is not yet clear.