Dutch MP must cough €750 for hacking into medical lab

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.theregister.co.uk/2013/02/19/dutch_mp_ethical_hacking_fine/

A Dutch MP has been fined €750 (£650, $1,000) after he was convicted
of illegally accessing the systems of a Dutch medical laboratory.

Henk Krol claims he only accessed the systems of Diagnostics for You
in order to expose sloppy security practices. The MP, who is the
leader of Dutch minority pensioners party, 50plus, used a login and
password that he had obtained from a patient at the clinic in April
last year to access and download medical files relating to several
people. The patient had apparently overheard the login information
from a member of staff.

The journalist and politician informed the laboratory about its
inadequate security, and presented redacted copies of the medical
information he had obtained. He also reported the incident to local TV
station Omroep Brabant, carrying out an on-air demonstration of the
lab's lax security practices during which medical records were again
accessed.

Krol, former editor-in-chief of the newspaper Gay Krant, hacked into
the system just months before he was elected to the Dutch parliament
last September. The politician told the court that he had acted as a
journalist and ethical hacker at the time of the breach.

A district court in the southeastern region of Oost-Brabant partially
accepted the public interest defence of Krol's legal team, which
argued that he was serving the greater good by exposing problems in
the protection of confidential, medical data. But the court also
considered that he had not given the lab enough time to fix the
problem before going public when it issued his sentence. It also took
issue with the "disproportionate" amount of records he accessed,
saying he had gone "further than necessary" to achieve his aim. The
court said it was lenient as it did not believe Krol was likely to
repeat the offence.

The patient who initially tipped him off about the problem was fined
€250 (£215, $330), IDG reports.

The court's judgment can be found here (PDF). A Google translation is here. ®
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.