Dutch police have arrested two individuals in the country for selling COVID-19 patient data stolen from the national COVID-19.
The availability of COVID-19 patient data in the cybercrime underground was spotted by the RTL Nieuws reporter Daniel Verlaan.
Verlaan discovered ads for stolen Dutch citizen data advertised on multiple instant messaging apps, including Telegram, Snapchat, and Wickr.
Dutch police arrested the duo within 24 hours of the complaint.
“On Friday, January 22, the police and the Public Prosecution Service received reports from the GGD that personal data from GGD systems would be offered for sale on Telegram. The cybercrime team of the Central Netherlands police immediately started an investigation. This investigation soon led to two employees of the GGD call center. The police immediately tracked them down. The suspects were both in Amsterdam on Saturday evening, where they were arrested and taken to a cell. It concerns a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam. The men’s homes were searched; computers have been seized.” reads the press release published by the Dutch Police.
“Stealing and selling or reselling personal data is a serious crime. Police and Public Prosecution are on top of this. Two people were arrested in this case within 24 hours.”
According to the Dutch newspaper, millions of patient details were offered for sale, including address details, telephone, and BSN identifiers (Dutch social security number). Data appears to be from the two most important systems of the Dutch Municipal Health Service (GGD).
“On chat services such as Telegram, Snapchat and Wickr, private data from the GGD systems has been offered for sale by dozens of accounts and in various large chat groups for months. Some accounts offer to look up the details of a specific person. That costs between 30 and 50 euros and then you will receive the home and email address and telephone and citizen service number from someone.” reads the post published by RTL Nieuws.
“Other accounts offer large datasets containing the private data of many tens of thousands of Dutch people. Criminals charge thousands of euros for this because it is relatively unique that social security numbers are sold on such a large scale. A social security number is very sensitive and can be misused for identity fraud.”
The data was allegedly stolen from two government systems used by the GGD named CoronIT, which contains details about Dutch citizens who made a COVID-19 test, and HPzone Light, one of the DDG’s contact-tracing systems.
Data was offered for prices ranging from €30 to €50 per person.
Verlaan discovered that the two suspects had access to official Dutch government COVID-19 systems because they were working in DDG call centers.
Experts pointed out that the availability of the BSN number (Dutch social security number) could expose citizens to financial fraud and identity theft.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, COVID-19)