Recommendation: delete app with additional NL-Alert information due to data breach
The Ministry of Justice and Security reported a data breach in the app with additional NL-Alert information to the Dutch Data Protection Authority today. This relatively new app, which users of Android or iOS devices have been able to download for additional information since early March, is an addition to the general NL-Alert system of the national government in case of an emergency. In the meantime, around 58,000 users have downloaded this app with additional information. They are recommended to delete the additional NL-Alert app from their telephones. People who delete the additional app will still receive the regular NL-Alert notifications, which use an entirely separate system.
Minister of Justice and Security Ferdinand Grapperhaus wrote a letter to the Lower House of Parliament, which stated that further research is being conducted into the scope of the data breach in the additional app and its origins. In order to provide additional information services through the app beside the NL-Alert notifications (for example, push notifications), location information of the users present in an affected area has to be gathered at that time. However, location information and possibly other personal data (such as information on the operating system and other apps installed) have ended up with an external notification service without the consent of the users. This external service has been asked to immediately cease data collection through the app and destroy any data already gathered.
Stopping the data breach
Measures are currently being taken to develop a different, safer design for the additional app. Until this process is complete, it is recommended to delete the app. An updated version of the app will be distributed in a few days, without the external service in question. This will stop the breach as soon as possible.
The NL-Alert app makes a valuable contribution to the government's emergency communication tools, but citizens should be able to rely on the careful handling of their personal data. Minister Grapperhaus has requested that the Central Audit Service (Auditdienst Rijk, ADR) investigate the matter, to which the ADR has consented.
As soon as more information about the data breach is known, it will be disseminated on the NL-Alert website and the Lower House of Parliament will be brought up to date as well.