The private addresses and telephone numbers of potentially millions of Dutch people have fallen into the hands of criminals. They have been stolen from a company that provides car garages with ICT services. In addition to name and address details, it also concerns e-mail addresses, license plates, telephone numbers and dates of birth, according to research by the NOS. The data is offered for sale on a popular hacker forum.
The exact number of people affected by the leak is unknown. According to the hacker who offers the data for sale, it concerns traceable data of 7.3 million people, but the same people can appear in the data breach several times. The e-mail address would be present in 2.5 million cases.
According to the relevant ICT company, the number of stolen 7.3 million data points sounds “real”. In that case, it is one of the largest Dutch data breaches ever.
“
Crooks who get their hands on this data can now see where expensive cars are located with one click of a button.
“For criminals, this is super useful information,” said McAfee security researcher John Fokker, who investigated online crime and organized crime with the police.
The leak was at the company RDC, which, for example, offers garages the option of automatically emailing customers when it is time for their MOT inspection. The company has received part of the information from the RDW. That body keeps the vehicle administration up to date.
How exactly the data was stolen is a mystery. After the NOS had informed the company that data was being offered for sale, it started an investigation and recognized the stolen data. “The investigation is still in full swing. We have already reported to the Dutch Data Protection Authority,” said a spokesperson for RDC.
This concerns older data: it may therefore be that it was stolen some time ago, but is only now being offered. The company says it is not aware of a recent leak. “We are very shocked,” said the company.
Prominents the victim
“Crook gangs that get their hands on this data can now see with one click of a button where expensive cars are,” says security researcher Fokker. “They don’t have to go out on the street anymore.” The large amount of personal details can also be interesting for internet scammers, in order to be able to approach people in a more targeted and personal way.
Person-centered attacks can now also become easier. Various prominent figures can be found in the dataset, including a party leader in the House of Representatives. “You now know where they live and what car they drive,” says Fokker.
For $ 35,000
The data appeared on the hacker forum this weekend; the seller said he wanted $ 35,000 for the data. Some of the data has been publicly posted on the internet. The NOS also approached the internet criminals and received the data of 58,000 Amsterdammers with a car or motorcycle. This involved 54,000 unique license plates.
This is partly outdated data, including cars that are no longer in use. But although the license plate may now be in a different name, for example the home address, e-mail address or telephone number can still be correct.
It even contains details of cars that were at a particular garage more than ten years ago. “You may wonder why that was not already erased years ago,” says Fokker. “It is really dangerous to keep this kind of data in the same place for years.”
Under strict conditions, RDC receives data from the RDW, such as information about the expiry date of MOT inspections and rough information about the owners of cars, such as the numbers of the postcode and year of birth. Whether that is unsettled is not known. “There is contact with RDC and the consequences are being discussed”, says the RDW.
More often mega data breaches
Last month there was a similar data leak: the data was stolen from people who bought tickets for museums and zoos through the company Ticketcounter, for example. This also involved an unknown number of address data.
According to the Dutch Data Protection Authority, there were more such ‘mega-data leaks’ in 2020, with the data of more than 100,000 people being exposed. In 2019 there were 68, but last year already 76. At least 10,000 people were involved in 257 data leaks.