Medical records and civil register sold on the darknet: Dutchman arrested

01/26/2023Cybercrime, Darknet News, Europe

Dutch investigators have arrested a man who allegedly stole and sold personal data of millions of people worldwide on the darknet. The 25-year-old Dutchman was arrested back in November following a tip from the Austrian Federal Criminal Police Office. However, the case was only made public on Wednesday by the public prosecutor’s office in Amsterdam.

According to the information, there is an urgent suspicion that the arrested person offered stolen confidential data for sale over a long period of time, including patient data from medical records. This is said to involve data of people from the Netherlands, Austria, Thailand, Colombia, China and Great Britain.

In Austria, all residents were even affected because the entire population register was offered for sale in 2020. The register operator, the Ministry of the Interior, denied having been hacked. Suspicion fell on the ORF subsidiary GIS (Gebühren Info Service), which is entrusted with collecting broadcasting fees and therefore has access to the entire population register. GIS referred to an ISO certification of its IT systems and denied any omissions.

Registration data from GIS after all – indirectly

In the meantime, it has become clear that the civil register originates from GIS, but is not likely to have been tapped at GIS. As reported by the Austrian Broadcasting Corporation (ORF) with reference to the Austrian Federal Criminal Police Office, the GIS has handed over the entire civil register to an IT service provider, who placed the data on a server completely unprotected. There, the Dutchman is likely to have found and downloaded the civil register, without any sophisticated hacking methods at all.

The Austrian Federal Criminal Police Office and the Secret Service have been investigating since 2020 and were finally able to locate the man’s home address in Amsterdam. During house searches in Amsterdam and Almere, Dutch colleagues then seized significant amounts of hardware and software. The criminal platform on which the data was offered for sale has since been closed down.

The question remains why the GIS receives the entire civil register with all nine million inhabitants, and not an extract limited to those potentially liable to pay fees. Starting next year, everything will change again: Based on a ruling by the Constitutional Court (VfGH), all Austrian households and companies with Internet access will then have to pay ORF fees – unless the legislature takes action. This means that the future of Austrian broadcasting fees is open.