Due to his actions, personal data of several hundred thousand people ended up on the street, according to the East Netherlands Openbaar Ministerie . A 28-year-old hacker, by breaking into a system in late July 2022, managed to get his hands on the source code and penetrate a database. This contained not only data about the events of the companies The Support Group and ID&T (organizers of large dance festivals, among others), but also personal data of all persons with an account, data of artists and crew members of festivals. The prosecution's punishment demand against a 28-year-old suspect from Amsterdam: a 20-month prison sentence, of which 5 suspended.
"Here there was absolutely no question of a mischievous prank," the prosecutor stated today before the Almelo District Court during the justification of the punishment. "This hack was preceded by months of preparation. It was well constructed, with an enormous digital loot as the proceeds. The defendant's behavior can be compared to an elaborate home burglary over several days: first feel all the windows and doors, then get one open, then proceed to window two and each time keep the opened windows and doors open with a clip, so that next time you can get in easily."
According to the prosecution, the hacker, who works as an independent ICT worker, managed to penetrate the system on which everything was running. He did this by hacking into the user account of an executive of ID&T -an administrator with the most extensive user rights. This allowed him to take control of the source code, manage the database and access an enormous amount of data. The prosecution: "The defendant's actions led to very substantial breaches, data theft and destruction and/or modification of data. Thus, he also captured, or rather stole, the source code and database."
Once inside, he could go about his business extensively, freely uploading or downloading files, or adapting or changing them on the spot. Thus he was able to give himself backstage access to the Awakenings festival and request parking spaces, but also view, download or modify data of users of the system (read: festivalgoers).
The event companies had partnered with software company NextSelect of Enschede for that system - called Evi. That company managed the servers on which all the data was stored. Years of work went into building and setting it up and it is estimated to have cost tons. All three companies were closely involved in the development of the system. NextSelect eventually reported the computer breach. After the hack, all users were warned by the companies. Evi itself suffered extensive reputational damage.
The prosecution charges the defendant heavily for not sounding the alarm with the companies to point out the vulnerabilities in their systems so that the damage would have been limited. "Instead, he wanted to quietly study his loot without the possibility of being detected. This goes far beyond some scamming out of curiosity; it was a nasty, very drastic long-term hacking attack with loss of data, of personal data and intellectual property."
