At the end of 2020, the Dutch Petroleum Company (NAM) incorrectly shared the names and address details of residents with the Ministry of Economic Affairs and Climate (EZK). The ministry calls it “quite a data breach”. A spokesperson for the NAM says that “almost only public information” has been shared.
This is apparent from correspondence held by the Dagblad van het Noorden . The news media invoked the Open Government Act (Wob) for this. A spokesperson for the NAM confirms this to the newspaper.
NAM inadvertently shared ‘a larger file than needed’
The oil company says it has provided data about the inhabitants of the earthquake area in Groningen to the Ministry of Economic Affairs. This information was necessary for an investigation into the NAM’s Value Scheme. This is a scheme that was created for Groningen residents who sold their houses at a loss due to the earthquakes, or whose value had decreased due to the earthquakes. They could count on financial compensation.
Something went wrong while sharing this information. According to the NAM, the ministry requested information from residents on a random basis. An employee of the oil company then inadvertently sent “a larger file than necessary”.
According to the Dagblad van het Noorden, it concerns Groningen homeowners who accepted an offer from NAM between 2014 and 2020. It is unknown how many people have unintentionally shared the data with the ministry. It may be thousands of inhabitants.
Data breach not reported to regulator
A spokesperson for the NAM says he regrets the situation. He emphasizes that the leak has been “corrected” at both the petroleum company and the miniseries. The department says that the information provided has not been distributed outside its own organization and has since been destroyed.
The spokesperson emphasizes that “almost only public information” has been shared with the ministry. According to gem, no names, telephone numbers, e-mail addresses or special personal data were sent. According to the NAM, there has been “no real risk to the privacy of residents”. That is why the data breach has not been reported to the Dutch Data Protection Authority.
Not the first data breach at NAM
It is not the first time that NAM has been confronted with a data breach. A security vulnerability in an Accellion program left the data of 19,000 people on the street in March 2021. NAM used the manufacturer’s software to securely send large files to the Groningen Mining Damage Institute (IMG).
The IMG is responsible for handling claims for damages from citizens living in the Groningen gas extraction area. Anyone who had submitted a depreciation claim to NAM between 2014 and July 2020 was the victim of the data breach. The same applies to people who were affiliated with the Foundation for the Value Reduction by Earthquakes Groningen (WAG Foundation), and homeowners who had started a lawsuit against NAM on their own.
As soon as the vulnerability came to light, Accellion immediately fixed the problem.
Catch up on more articles here
Follow us on Twitter here