‘Inertia’ KNVB after Russian hack may get tail: ‘From beginning to end tinkering’ by Arwi van der Sluijs


Cyber incidents happen. That it happens to the KNVB is a fact, no shame. It’s going to happen to you one day, too. My(Arwi van der Sluijs) point to this article is the following question. Is your organization prepared for a cyber incident?

Based purely on the tight processes in Cyber Incident response, as an experienced incident handler, I contend that something went wrong at the KNVB. After all, it’s been in the news too long. No matter what exactly went wrong then. Something caused it to be in the news after 6 months and that makes this incident special and worthy of discussion. Also whether or not you pay. Every incident is unique, and with that comes a choice of whether to pay a cybercriminal or not. I have no opinion on that. Most importantly, protect your customer data. And if that costs money then so be it. You can prepare for a cyber incident. Consider technical, procedural, financial and communications elements. Oh… yes… don’t forget the emotions as well. We also build in calmness for our incident response team members.

'Inertia' KNVB after Russian hack may get tail: 'From beginning to end tinkering' by Arwi van der Sluijs

The rumored cyberattack on the KNVB may have a tailspin. Data Protection Authority (AP), the personal data regulator, is currently in talks with the soccer association on the sensitive issue, a spokesperson said. Whether it leads to sanctions is unclear. An authority from the security world (ed. Arwi van der Sluijs) thinks a fine is at least appropriate.

AP chairman Aleid Wolfsen accuses the KNVB of maintaining a “despicable revenue model” by doing business with criminals. The soccer federation supposedly paid Russian cybercriminals more than a million euros in order to recover captured data containing personal data. The privacy watchdog is currently in talks with the KNVB about the state of affairs.

This is not specifically about paying ransom, the AP stressed. “That’s their choice. This is about the protection of personal data.” The KNVB should have reported the attack to the AP within 72 hours. The league claims to have done so immediately. A fine, as the past has repeatedly shown, is not ruled out.

Are you the victim of a corporate hack? Take immediate action with our 24/7 Cybersecurity Services!

What happened?

On Saturday, April 1, a cyber attack took place on the ICT network at the KNVB Campus in Zeist, the headquarters. The perpetrators were the notorious Russian hacker collective called LockBit. The Football Association released this news three days later. In that press release, the union reported that it was still figuring out exactly what data had been stolen.

The KNVB made no announcements afterward for months. Images shared online did show that over 300 gigabytes of data had been stolen, an immense amount. This data, from passports to salary slips of Orange players, would be released on April 26 if the league did not pay a ransom. The KNVB did not want to say anything about this for a long time. Five months later, the KNVB announced through an advertisement that a ransom had been paid and that there was still a chance that stolen information might still appear somewhere on the Internet.

The KNVB could have prevented a lot of suffering if it had been more alert from the start, more transparent and had listened more closely to experts in the field, says Arwi van der Sluijs, an authority on cybersecurity. His company, the Hague-based NFIR, was responsible, among other things, for the security control of the corona tracing app. Van der Sluijs immediately adds: ,,I don’t blame the KNVB for being hacked. That happens to all of us. But I’m sure they piled mistake upon mistake from beginning to end. I was not involved in this incident, but anyone who studies the timeline closely will see that there was ignorance and slow action here.”

For example, Van der Sluijs argues that the KNVB should have known much earlier which data was stolen. “Anyone who has set up his network a little well will find out after only a few hours.” If something is ablaze, you have to put out the fire as quickly as possible, Van der Sluijs believes. “Within our industry, we are used to dealing with something like this within a few weeks. Not five whole months like here.”

“I am almost certain that the KNVB’s inertia went against the advice of our colleagues,” Van der Sluijs further stated. ,,It seems that there has been an internal struggle over the course to be followed and therefore half-measures have been taken. It’s administrative clumsiness at its finest. From beginning to end tinkering. The KNVB is big and rich enough to act on this immediately. But you just notice here that they have little knowledge of tech. They don’t get it, don’t take it seriously, and then these things fester for far too long.”

KNVB critical

The KNVB vehemently denies this. “On the contrary: there was very professional and intensive cooperation by all involved,” a spokesman stressed. It stings the KNVB that Van der Sluijs, after all an authority on security, is “apparently ill-informed. ”Indeed, he himself acknowledges not knowing the details at all. On the contrary, we did follow the recommendations of external experts from the very first moment.We did investigate very extensively, namely with the help of two other expert parties, what data might have been affected by the attack.”

That process is called “eDiscovery” and is an intensive process involving great care, the KNVB says. ,,Again, we acted in line with expert advice. In short: claims made by Van der Sluijs about us are pertinently false.”

Take Action Now: Secure Your Organization
If this article has opened your eyes to the vulnerabilities and risks that even large organizations like the KNVB face, it is time to act. Don’t wait until a cyber incident forces you to take action. Contact NFIR today to assess, prepare and secure your organization’s digital assets.


De volgende 30 minuten van cruciaal belang​!

De eerste 30 minuten na een cyber security incident zijn cruciaal omdat snelle reactie de schade kan beperken, verdere verspreiding van de aanval kan voorkomen en essentieel bewijsmateriaal veiliggesteld kan worden voor onderzoek en herstel.

Onze Computer Emergency Response Teams (CERT) staan 24/7 klaar om bedrijven en organisaties te ondersteunen bij IT-beveiligingsincidenten.

Heeft uw bedrijf professionele hulp nodig bij een beveiligingsincident? 


The next 30 minutes are crucial!

The first 30 minutes after a cyber security incident are crucial because rapid response can limit damage, prevent further spread of the attack and secure essential evidence for investigation and recovery.

Our Computer Emergency Response Teams (CERT) are available 24/7 to support businesses and organizations during IT security incidents.

Does your company need professional help with a security incident?