Prosecutors said they would investigate the company that was providing digital security for DigiD, a Dutch government site that allows citizens to access a large number of services, including filing taxes, signing up for university and donating organs.
The provider—U.S.-owned, Netherlands-based DigiNotar—was dismissed by the government last week as officials disclosed the hacking.
In July, DigiNotar suffered the theft of hundreds of certificate codes used to prove a website's authenticity to viewers. Armed with these codes, hackers can secure security authentication for bogus websites, from which they can steal data and personal information entered by users.
The Dutch government believes that the perpetrators of the hacking were in Iran, based on information it received from a security consultancy, Fox-IT. The government said Monday that 300,000 Internet users in Iran had been spied on using the fake certificates. It didn't mention any other victims.
The results and repercussions of the Dutch investigation could shape the future of online commerce and government sites, and the regulation that covers them, as more and more government administrations switch from paper to online. An estimated nine million Dutch citizens, in a population of about 17 million, used DigiD.
The Dutch hacking case "is a huge deal," said Jonathan Todd, a spokesman for Neelie Kroes, the EU's digital agenda commissioner. "This latest case illustrates the risks and the challenges of e-government and online commerce, and the European Commission is working on a coherent European response to meet these challenges."
What that means exactly for tech companies is still unclear, but EU officials say they will consider mandating tougher supervision for online certification companies, which guarantee a website's authenticity for the viewer.
"We do know for a fact that the legislation on digital signatures is going to change," said Ilias Chantzos, a lobbyist in Brussels for Symantec Corp., which last year bought Verisign Inc., a Dulles, Va.-based company that issues digital certificates.
Meanwhile, the biggest headaches are in the Netherlands.
The Dutch government said it planned to review the authentication system due to the hacking scandal. "We need to consider if the system as we know it is the best one available," said Vincent van Steen, a spokesman for the Ministry of the Interior.
In what is shaping up as one of the most damaging hacking cases for a single country, courts have advised lawyers to switch to fax and old-fashioned paper mail instead of email.
Lawyers can't access the Dutch Bar Association's Intranet, and have been told by courts to switch to fax machines and mail until the problems are solved. "Most of our work is digital. But now we have to use notes, which is like a step back in time," said Diederik Maat, a lawyer in the northern Netherlands. "For courts and law firms, this is an administrative nightmare."
At a news conference on Saturday, Justice Minister Piet Hein Donner advised citizens worried about the security of their communications with the government to return to pen and paper.
The government over the weekend extended the online tax deadline indefinitely, until DigiD can again be declared secure.
The Dutch government is currently switching to certificates provided by other suppliers, such as Getronics Pink Rocade, a unit of Hague-based KPN NV. It will also look for ways to bolster supervision and it has promised to review the concept of e-government.
DigiNotar, which was acquired by Chicago-based Vasco Inc. in 2010, has admitted finding out about the hacking in July. The government didn't say when it found out about the hacking.
A spokesman for DigiNotar declined to comment on the case."But we will cooperate with the Dutch government in the most constructive manner to solve the problems," he said.
In a statement issued Tuesday, Vasco said it hadn't yet incorporated DigiNotar technology into its own products: "This means that all Vasco products in the market today are 100% DigiNotar-free."
Google Inc. said it was no longer working with DigiNotar.
"Based on the findings and decision of the Dutch government, as well as conversations with other browser makers, we have decided to reject all of the Certificate Authorities operated by DigiNotar," information security manager Heather Adkins wrote in a blog post.
"We encourage DigiNotar to provide a complete analysis of the situation."