A possible data breach that was found in the NL-Alert app last year should have been reported earlier to the Dutch Data Protection Authority (AP).

This is what outgoing Minister Ferd Grapperhaus of Justice and Security writes in a letter to the Lower House.

The NL-Alert app was released in March last year as an addition to the national alarm system NL-Alert.

This is used by the government to warn citizens of danger, for example in the event of disasters or extreme crowds.

The app allowed people to receive reports of incidents, view an overview of NL-Alerts and look up information about preparing for emergency situations.

But at the end of April, Grapperhaus wrote that a possible data breach had been found, as a result of which location data of users and possibly other personal data had ended up with an external notification service without permission.

Later, a second vulnerability was found, which could trace the location of other users.

Ministry should have reported vulnerabilities immediately

According to the AP, the ministry should have reported "at the first sign of a possible infringement".

Grapperhaus endorses this: "The possible violation should have been reported to the AP without delay. I see this as an important learning point that has now been anchored in the working method. When in doubt whether an incident should be reported to the AP or not, the rule applies. that a provisional notification is made. "

The AP also noted that the security of the NL-Alert app was not in order.

For example, a vulnerability had been identified and there was no revision of the latest version of the app to detect shortcomings.

After the vulnerabilities were found last year, the app was pulled from app stores.

Nevertheless, the app appeared to meet a great need, Grapperhaus writes.

That is why a new app is being developed, but it "will only become available to the public when a careful (external) review of privacy requirements and information security, among other things, has taken place."