On Tuesday, July 20, a 28-year-old man from Purmerend was due in court on suspicion of attempted extortion and computer hacking.
The suspect worked at a company and secretly collected personal data there that his work allowed him to access. When he no longer worked there, a few years later he tried to blackmail the company with the collection of personal data. If the company did not comply, he would disclose, among other things, the personal data he had captured.
Right at the start of the indictment, the prosecutor indicated how serious this is: "The impact of a data breach is significant not only for the individuals from whom the data was obtained, but also for the companies involved. For example, a data breach can have major financial consequences for companies and lead to reputational damage."
The man sent a threatening email to the company on April 26, 2023, stating that the organization had been the victim of a data breach. As proof, he attached a portion of customer data to the email. A manager at the company responded to the email and eventually, on May 1, the suspect asked for €50,000 in bitcoins. If the amount was not transferred by May 4, a notice of the data breach would be issued to victims, the media and the company's partners. This notice would then include how irresponsibly the company had acted and how poorly their system was secured, even though the company knew this. It also threatened to sell the victims' personal data on the Dark Web. The consequences of all this would cost the company more than the amount the man asked for, so it was better to pay up.
The 28-year-old man eventually confessed to committing the extortion. Evidence was also found on his phone showing that he was the perpetrator. For example, samples of the personal information he mailed were found on his cell phone.
In addition to the attempted extortion, he is also suspected of computer breach from Jan. 21, 2021 to Nov. 15, 2021. The suspect also confessed to this: instead of a data breach, he copied customer data and sent it to himself.
At the hearing, the prosecutor made the extent clear: 663 e-mail addresses of victims were found on the defendant's laptop. On his phone were the data of 39,307 people. The suspect categorized the files by age and gender and in many cases also linked them to a particular bank. He clearly spent a lot of time on this which, according to the prosecutor, shows purposeful action.
It seems the suspect deliberately made searches in the system because the victims whose data was collected are often 48 years old or older. An age group that often falls victim to online crime. For example, people over 65 are the most frequent victims of phishing. Many files contained the word "sold," the suspect would not specify what was meant by this. Also found were files named: 'Rabo 65 + 500 SOLD and 'Old but no 06'.
The prosecutor also pointed to the agreements the defendant had signed as an employee. He had to keep the data confidential and he was only allowed to make searches in the system to help customers, he was not allowed to take data for private use.
At the hearing, the prosecutor mentioned the seriousness of the facts. He collected personal data for a longer period of time and threatened a company with it. For the company and the people whose data fell into the wrong hands, the impact is enormous. The man acted very deliberately. He copied personal data of nearly 40,000 people and mailed it to himself. In doing so, he never came to his senses. He collected the data for months, and years passed before he committed the defection.
He confesses then but, mostly the facts he can no longer get away from. Real disclosure he does not seem to make.
In all, the prosecutor arrived at a sentence of eight months' imprisonment, of which three months were suspended with deductions and two years' probation and special conditions.
The suspect's two cell phones and laptop should also be forfeited as far as the prosecutor is concerned.
