A hacker tried to sell the personal information of nearly every Austrian citizen, police say
A case of human error with major consequencesBy Daniel Sims 10 comments
In context: The results of successful international cooperation between law enforcement agencies fighting cybercrime became known for the second time this week. While not as big a case as the Hive ransomware bust, the arrest of a hacker selling the personal data of millions provides another example of how fragile digital privacy is. It also shows the cost of human error from those who house our personal information.
On Wednesday, Austrian police announced the arrest of a hacker in the Netherlands for selling the personal information of almost everyone living in Austria. The investigation involved collaboration between authorities in multiple countries over two years.
The unnamed 25-year-old Dutch suspect allegedly listed a dataset for sale online containing the names, addresses, genders, and dates of birth of nine million Austrians – virtually the country's entire population. Reuters notes that police arrested the man in November but held off announcing it pending an ongoing international investigation that started with a data breach in 2020.
The hacker didn't acquire the data using malware. Austrian newspaper Die Presse writes that he merely seized upon a mistake someone made during a routine IT operation.
When the Gebühren Info Service (GIS), which handles Austrian broadcasting fees, hired a Vienna subcontractor to restructure its data in 2020, one of the company's employees accidentally used the service's real information during a test. The GIS reported the data theft in May 2020.
The hacker may have accessed it using a search engine, although it was not Google. As a result, the personal data of millions of Australian citizens was left publicly accessible online for about a week. When someone named "DataBox" on Raidforum.com offered to sell registry information on millions of Austrians in New Zealand, NZ authorities bought it for a four-figure sum to confirm that it came from the GIS breach. The data's composition style matched GIS record-keeping.
Police identified the suspect after securing a server in Germany from which they allegedly downloaded the GIS's data. The New Zealand bitcoin transaction also pointed authorities to the hacker, who the police suspected of cybercrimes.
When Dutch police arrested the suspect in Amsterdam, they found 130,000 data banks containing personal information on people in Thailand, China, the Netherlands, Columbia, and the UK, including medical records.