FAQ data breach
We previously sent you a message about a data breach by the supplier of our Parent Portal (KidsKonnect). We regret that this has happened. We have taken additional measures with the supplier to prevent a data breach in future. The security settings have been tightened up and expanded. For example, double checks will be introduced when downloading documents in the KidsKonnect app. We have every confidence that the measures we have taken will prevent a situation like this in future.
We understand that you want to know how likely it is that your data has been leaked, and to whom. Below we have answered the questions we received.
How do I know whether my child's (children's) information was in the downloads?
We have informed all Korein clients of the downloads in the Parent Portal. The fact you received an email does therefore not mean that it concerns your data. It was necessary to inform all parents, because it is not possible to trace which parents it concerns. This is a statutory obligation. And we believe it is important that you are informed.
How great is the risk that my data was leaked?
During the period in which the data breach occurred, KidsKonnect saw 27 downloads of which it is not 100% certain they were by the parents themselves. A total of 7 of these downloads were for Korein. It is possible these downloads were done by parents themselves. However, this cannot be ascertained, because the IP addresses cannot be traced. Neither did the supplier observe unusually high download activity. It is therefore possible that data was viewed by another parent, but the likelihood is very small.
Who could have downloaded my documents? Outsiders too?
No, only Korein clients may potentially have been able to download your documents. Parents were potentially able to view information about children other than their own for a period of about two hours.
Exactly what information does it concern? Does it concern photos or passwords?
It concerns documents such as annual statements, invoices, and contracts. So no photos, children's information, or passwords. Annual statements, invoices and annual contracts contain information such as name and address details or citizen service numbers. If you wish, you can see for yourself in the Parent Portal what details are in these documents.
What is the cause and what are the solutions and preventative measures?
The data breach arose because of a technical fault during modification of the log in process for KidsKonnect. We regret that this has happened. We have taken additional measures with the supplier to prevent a data breach in future. The security settings have been tightened up and expanded. For example, double checks will be introduced when downloading documents in the KidsKonnect app. We have every confidence that the measures we have taken will prevent a situation like this in future.
Was KidsKonnect hacked? Is a malicious person involved?
No. KidsKonnect was not hacked. It concerns a technical fault that occurred during modification of the log in process for KidsKonnect.
Why did it take one and a half months for me to be informed?
A detailed investigation was necessary to ascertain the scale of the data breach. This investigation took longer than we had hoped. KidsKonnect maintained close contact with the Dutch Data Protection Authority (AP) regarding this incident. As a client of KidsKonnect, we also reported this data breach to the AP in accordance with the guidelines. As a client of KidsKonnect, we also reported this data breach to the AP in accordance with the guidelines.
How does this compare to the usual number of downloads in a comparable period? Is it known how many accounts it concerns (does it concern multiple downloads per account, for example)?
KidsKonnect did not observe unusually high download activity during the data breach.
Does the technical fault mean parents were randomly presented with an incorrect document (belonging to another child), or could a malicious party knowingly download documents belonging to other children (e.g. by entering manipulated input into the system)?
Parents and employees only see a document name. The downloader could only see who the document belonged to after downloading. You see, parents cannot enter anything, but only click and on and open documents.