Personal data of Dutch citizens registered in the Municipal Health Service (GGD) corona systems were offered on various online platforms. The systems contain records of all Dutch citizens who have had a corona test taken.
The data in question was stored in the CoronIT and HPzone Light systems. The first system contains the data of all Dutch citizens who have been tested for the coronavirus. The GGD uses the second system for source and contact research. The data stored included personal details such as address details, telephone numbers, e-mail addresses and even citizen service numbers.
Thousands of people had access
Various parties had free access to both systems, including employees of the Red Cross, the ANWB (a roadside assistance company) and call centre employees of Teleperformance. These parties helped to carry out the source and contact investigations. In total, many thousands of people had free access to personal data stored in the two systems.
30 to 50 euros per extract
The data were offered via chat services like Telegram, Snapchat and Wickr, writes RTL Nieuws. The data were sold for between 30 and 50 euros per extract and could be requested in bulk or from specific individuals. The bulk options offered tens of thousands of extracts at a time for thousands of euros. Payments were made via Bitcoin or Paysafecard.
GGD wasn’t aware
The GGD told RTL Nieuws that the organisation was not aware of the activities. All employees have to provide a Certificate of Good Behaviour and random checks were made on employees. This led to several dismissals. The GGD promises to further scale up the control on the systems in the future.
Mass claims
The police have arrested two men on suspicion of illegal data trade. The Dutch Personal Data Authority (AP) has also jumped on the case. The authority claims that the GGD acted negligently by not securing the personal data sufficiently. According to the authority, the GGD not only risks a fine from the AP but also mass claims from victims.
Phishing attacks
Presumably, the stolen data is mainly used to harass victims with phishing attacks. Based on the citizen service number, identity fraud can also be carried out.
Tip: 90% of pre-owned storage devices contain business and personal data