Personal data millions of Dutch citizens on the street due to data breach at car companies

 

Biggest data breach ever in the Netherlands

RDC is an ICT service provider for car garages. When it is the turn of a customer's car for a general periodic inspection (apk), he receives an e-mail notification. This type of service takes a lot of work out of the hands of garage owners because the process is automated. RDC has agreements with the National Vehicle and Driver Licensing Office (RDW) to share information such as the expiration date of roadworthiness tests and name and address details of the car owner. This includes such things as name, address, place of residence, date of birth, telephone number, e-mail address and license plate number. In short, RDC has access to a wealth of car owners' personal information. That makes the company a favorite target of hackers and cybercriminals. That may seem to be the case. Research by NOS shows that name and address details, contact information and license plates of millions of Dutch citizens have been stolen. This data has been bundled into a database and is currently being offered for sale on a hacker forum on the dark web. The attacker is asking $35,000 for the entire database. Exactly how many people are affected by the leak is unknown. NOS has been in contact with the hacker. He claims it involves traceable data of 7.3 million Dutch people. At the same time, he acknowledges that some people appear multiple times in the database. He calls the number of 7.3 million victims "real. If so, it is the largest data leak ever in the Netherlands.

Stolen data is dated

To verify the data, NOS sought contact with the person offering the database on the Internet. In this way, tech editor Joost Schellevis obtained a data sample of 58,000 Amsterdammers with a car or motorcycle. In total, the NOS gained access to 54,000 unique license plates. According to the medium, some of the data is outdated. For example, it contains data from cars that have been at a garage more than 10 years ago. The home address and contact information may still be correct. John Fokker, security researcher at McAfee, tells NOS that the stolen data are worth gold to hackers. "With one push of a button," he says, cybercriminals can see where expensive cars are parked. They no longer need to go out on the streets to scout. With the data, they know exactly who drives which car and where this person lives.

Autoriteit Persoonsgegevens notified of data breach

Exactly how the data was stolen is unknown. In a comment, a spokesperson for RDC said it recognized the captured data. The company immediately launched an investigation, which is still ongoing. The leak has also been reported to the Autoriteit Persoonsgegevens. The RWD confirms that it is in talks with RDC about the leak. It is possible that the leak will have consequences for information-sharing agreements, but we cannot say for sure at this time. The RDC spokesperson says he knows nothing about a recent data leak. This is important because companies and organizations are required to report a data leak to the Autoriteit Persoonsgegevens within 72 hours. If the data was stolen earlier and the company only found out about it now, at least it did its best to report the leak to the regulator as soon as possible.

Phishing and identity fraud

The stolen information is not only of interest to car thieves. Criminals who scam people online can also use it to create victims. With the obtained contact information, they can approach unsuspecting victims in a more targeted and personal way. Their story then comes across as more credible, so that more people fall victim to scams. When scammers ask victims to pass on privacy-sensitive or financial data, we speak of phishing. The stolen data might also be used for identity fraud. This occurs when a hacker pretends to be someone else in order to make his move. A good example is WhatsApp fraud, also known as friend-in-need fraud. Using the chat platform, a scammer pretends to be a friend, family member, colleague or close acquaintance and asks his victims if they can pay a bill for him. If they don't, his financial problems get worse. But once paid, the victims lose their money.

Ticketcounter hit by data breach

Earlier this month, a similar data breach occurred at Ticketcounter. That company manages the reservation systems of a large number of Dutch zoos and amusement parks. People who have bought tickets online in recent years are known to Ticketcounter. Because an employee accidentally placed the customer data of one and a half million Dutch people on an unsecured server, the attacker managed to steal a lot of privacy-sensitive information. The hacker demanded 7 bitcoin to return the captured data, which amounted to nearly three tons at the beginning of this month. Sjoerd Bakker, managing director of Ticketcounter, said he had no intention of paying a ransom. According to him, people are not in immediate danger, but advised them to be alert for phishing activities.