Skip to content
Naked Security Naked Security

Dutch suspect locked up for alleged personal data megathefts

Undercover Austrian "controlled data buy" leads to Amsterdam arrest and ongoing investigation. Suspect is said to steal and sell all sorts of data, including medical records.

The Public Prosecution Service in the Netherlands [Dutch: Openbaar Ministerie] has just released information about an unnamed suspect arrested back in December 2022 for allegedly stealing and selling personal data about tens of millions of people.

The victims are said to live in countries as far apart as Austria, China, Columbia, the Netherlands itself, Thailand and the UK.

Apparently, the courts have taken a strict approach to this case, effectively keeping the arrest secret from late 2022 until now, and not allowing the suspect out on bail.

According to the Ministry’s report, a court order about custody was made in early December 2022, when the authorities were given permission to keep the suspect locked up for a further 90 days, meaning that they can hold him until at least March 2023 as work on his case continues.

The suspect is being investigated for multiple offences: possessing or publishing “non-public” data, possessing phishing software and hacking tools, computer hacking, and money laundering.

The prosecutors claim that he laundered close to half-a-million Euros’ worth of cryptocurrency during 2022, so we’re assuming that the court considered him a flight risk, decided that if released he might be able to destroy evidence and, presumably, thought that he might try to warn others in the cybercrime forums where he’d been active to start covering their tracks, too.

Governmental breach?

Intriguingly, the investigation was triggered by the appearance on a cybercrime forum of a multi-million record stash of personal data relating to Austrian residents.

Those data records, it seems, turned out to have a common source: the company responsible for collecting radio and TV licence fees in Austria.

Austrian cops apparently went undercover to buy up a copy of the stolen data for themselves, and in the process of doing so (their investigative methods, unsurprisingly, weren’t revealed) identified an IP number that was somehow connected to the username they’d dealt with on the dark web.

That IP number led to Amsterdam in the Netherlands, where the Dutch police took the investigation further.

As the Dutch Ministry writes:

The team has strong indications that the suspect was operating under that user name and that he had, for a long time, been offering non-public personal data – including patient data from medical records – on the forum for payment under that name. […]

With the theft of large amounts of digital data, combining different databases and trading access to this data, more and more criminals know where a person lives, performs bank transactions, what car they have, what their password is, what phone numbers they have, where they work, go to school etc. Where it used to be necessary to observe people for weeks to identify the right victim, now a push of a button suffices.

What next?

We’ll let you know if and when we learn more about this case.

We know for sure that the Dutch police and prosecutors are not going to lose interest, because the Ministry concludes its annoucement with these words:

This kind of criminal activity not only grossly violates the privacy of millions of people but also causes financial damage to individuals and businesses. Police and prosecutors are committed to fighting this complex form of crime by detecting and prosecuting cybercriminals.

But we can’t help wondering whether the Austrian radio and TV licence fee collection company might attract the interest of investigators of different sort, this time from the Austrian data protection regulators rather than the police.

Although companies that suffer breaches are undeniably cybercrime victims themselves, they sometimes end up in legal trouble of their own if the regulator forms the opinion that they could and should have done more to protect their customers.

After all, as the Dutch prosecutors point out, it is the individuals whose data actually gets stolen who are the primary victims here.


As yet another data breach comes scrolling past the inevitability that personal data will end up in the wrong hands grows.
I agree that appear to be questions for the Austrian data protection authorities but not just for the breach. For me I find other questions come up every time there is a breach. Often the use of adequate data security is raised but while the likes of LastPass might be expected to ensure that all data is encrypted it seems that much government related data is not. Maybe I am wrong.
What is not mentioned much is Articel 5(1)(c) – data minimisation. Do all there organisations really need all the data they collect. Have they carried out assessments for sensitive data – assuming of course that someone has bothered to check.
While the GDPR was welcomed back in 2018 and seen as world leading without effective enforcement it is pretty useless. No-one seems to care about the cost in money, health and time to those whose data is stolen and used. All that seems to happen is that more stricutures are placed on the innocent


“You must create an account to use this service once! For your own security! And share important PII! For more security! Because…” (and there often seems to be no credible reason).

Heigh ho…


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!