UWV is going to block sending Excel files related to data leak

In the first quarter of 2019, the UWV will introduce a technical measure that makes it impossible to send certain files, such as Excel files. The reason for this was the data breach of 3 August, in which the wrong file was sent.

Minister Koolmees, Social Affairs and Employment, named the measure in one of the answers to questions from the SP MP from Knows about the data breach. The measure must minimize human error by blocking the sending of certain files. The minister gives Excel files as an example. Minister Koolmees will consult with the UWV which measures are even more possible, such as additional verification steps, automatic warnings or technical blockades.

Because the major changes in the system take time, the UWV now focuses primarily on raising awareness among employees and better compliance with the so-called ‘four-eyes principle’, according to Koolmees. This means that at least two people must oversee a task before it is carried out, in order to prevent errors and abuse of the situation.

At the beginning of August the private details of 2400 UWV clients came to the wrong persons, because the wrong file was sent to different clients. In addition, the transmitter was not checked, as the four-eyes principle required. The UWV uses bulk messages when sending the same message to several people. Bulk messages were not allowed to be used before, but in 2016 the ban was lifted within the organization. The reason behind this was that sending individual messages takes too much time and can lead to more errors. “Bulk messages are safe, provided the procedures are followed,” says Koolmees.

The UWV messages end up in clients’ workbook. In this folder the client can place his CV, contact the UWV and apply for vacancies. There should have been an invitation to a meeting in the workbook of 97 clients, but instead they got a file with the private data of 2400 clients.

This included the bsn number of those clients. Normally these numbers are at least partly made unreadable. In this case it had not happened. The data breach took place on 3 August. The leak was reported to the Dutch Data Protection Authority within 72 hours. The affected clients received a letter at home in which the UWV apologizes and promises that this will not happen again in the future.

In September 2016 there was a similar data breach at the UWV. The wrong file was also sent to various clients, leaving eleven thousand private data on the street.