The VPN networks of Air Traffic Control the Netherlands, Shell, KLM, the national government and hundreds of other companies in the Netherlands were accessible to malicious parties for months.
There would have been a leak in the VPN connections of the affected companies. With a VPN service, employees can connect to the corporate network from different locations.
The vulnerability could have allowed hackers to retrieve “fairly simple” passwords and usernames. They could also view files from the internet and use the VPN connection as if they were employees.
All mentioned Dutch companies would use the Pulse Secure VPN service, de Volkskrant writes. The company would have more than twenty thousand customers worldwide, including several defense companies, Air Traffic Control the Netherlands and several care providers.
The sources in particular call the air traffic control the leak “worrying” because hackers could get into the organization’s system within minutes.
“Leak was discovered in March, but companies postponed update”
The leak was reported to have been uncovered by two Taiwanese researchers and reported to Pulse Secure in March. In April an update was made for the VPN service, but according to de Volkskrant, dozens of Dutch companies were still vulnerable up to and including August, including the central government.
Only after a security expert rang the bell at the NCSC would more companies have carried out the necessary update.