Managing director

Hi, Mr. Farwerck, and thank you for agreeing to be interviewed by us today. Would you mind
briefly introducing yourself and telling us about your role within KPN? 

0:13

>> My name is Joost Farwerck. I'm a COO of KPN. And that means that I'm responsible for
KPN's operations in the Netherlands. 

0:23

>> In early 2012, a breach was discovered which granted a hacker access to highly sensitive
data. Could you tell us a little bit about this incident, and how you became aware of it, and
how you became involved in dealing with it? 

0:37

>> The reason I got aware of it is that we have people working on our IT environment all day
and they reported the issue to me. And then we had a team call according to certain
process. And there, they explained to me in more detail what was happening. So then I
understood that we had a hack in certain surface. And we were not certain if the hacker really
reached customer information or not, but because of that we understood it was a serious
issue. 

1:13

>> What security themes come to mind when thinking about this type of incident? 

1:19

>> Well, first, for me, I really had to understand the issue. So my first question was, what was
really happening here? And the issue that someone fished the KPN surface on a certain
level, which was really identified as a hack. But we were not sure what the complete situation
was. And for me, there are couple things very important in such crisis. First of all, what's the
impact for our customers? What's the impact for us as a company? The continuity of our
services. And thirdly, what's the impact on society? Because we are a company who really
supporting the society, and these are always the free questions that I ask myself when we face
an issue. >> Could you talk about some of the most relevent security challenges that you've
faced while managing the incident? 

2:12

>> Yes, while handling the incident, me and the team, we talked about the worst case scenario,
and the worst case scenario for us would be the hack are really taking away customer
information. And if we came to the conclusion, and that was the case, then we concluded that
we had to close down incoming internet connections for our customers until we solve the
issue. 
2:43

And at the certain moments, the team reported to me that they thought the hacker really
approached the customer systems, which was not really possible we thought, but then they
told me that on the Internet someone published list of KPN customers with the passports
related to our customers, the KPN passports. So then, I decided to close down all broadband
connections of our customers in the Netherlands. 

3:16

Later, it came out that it was a joke of someone who took KPN email addresses from another
site. And since all customers or lots of people use the same passwords on all circumstances,
the list of those KPN broadband customers and related passports really looked alike. So at the
end it was someone who really tried to fake a hack in the deepest detail of KPN, but still we
had this issue on our servers. >> What makes the matter in which this incident was handle so
successful? What can a company like KPN learn from an incident like this? 

4:01

>> Well, we have a very detailed and professional crisis handbook. And me and my team, we
know how to deal with an interruption of services or a crisis very well because we deal with
this kind of situations a lot. Not in this size, of course, but we have more interruptions than this
one. So we know what to do. It's called our Be Alert service. We have different codes of
issues. It's a code green, blue, yellow, orange. And this one was a code red. We do not have a
code red that often luckily. And when we have a code red, then we are really in full crisis
mode. And we know what to do. And to work according to process and to decide according to
process. So I think that's very important. And we use that system for this new
situation. Because we weren't that good in that time at solving hack issues. 

5:05

So what I learned from the crisis is that we really had to invest in our IT environment and in the
security of our IT environment. And we installed a CISO Department. We hired a lot of
people. We invested tens of millions in the safety of our IT security environments. >> Are there
any specific other strategies that you would recommend? 

5:32

>> Well, to be quite honest, the way lots of companies run IT is that when there is an incidenct
they solve it. When you have to fetch a new generation of IT after suppliers mention this to
you, they do it. But we changed our company 

5:56

in the way that we really try to monitor proactively the quality of our IT. So not only when we
think there's an issue we approach it but we're really are a proactive company
nowadays, monitoring the completes environment of our IT. 

6:13
So we hired people, to be quite honest, we hired a lot of hackers, trying to approach KPN
everyday. Trying to find the little holes in our company, and in our IT environment. To conclude
where there are weaknesses. Proactively, not waiting for someone else to do it. 

6:35

We have to do whatever we can, because everyday people try to enter us. And it will never be
for a 100% sure, they are very smart out there, so we have to be smarter, and that's why we
work everyday. We invest everyday in th the safety of our IT environment. >> What are some
of the most important lessons learned from this incident? >> Well, I always say that people
build a new dimension which is cyber, and only a couple of decennial later, we decided that
the security of that new world we all live in for hours per day is not as good as a security in a
physical world. And I think we all should understand, whatever we do on cyber could be
impacted. It will never be for a 100% safe. 

7:33

But we have to do everything as a company, but also our government and people using cyber
to work in a safe and live in a safe cyber environment. And the most important thing is people
change their passwords every month.