Dutch suspect locked up for alleged personal data megathefts

The Public Prosecution Service in the Netherlands [Dutch: Openbaar Ministerie] has just released information about an unnamed suspect arrested back in December 2022 for allegedly stealing and selling personal data about tens of millions of people.

The victims are said to live in countries as far apart as Austria, China, Columbia, the Netherlands itself, Thailand and the UK.

Apparently, the courts have taken a strict approach to this case, effectively keeping the arrest secret from late 2022 until now, and not allowing the suspect out on bail.

According to the Ministry’s report, a court order about custody was made in early December 2022, when the authorities were given permission to keep the suspect locked up for a further 90 days, meaning that they can hold him until at least March 2023 as work on his case continues.

The suspect is being investigated for multiple offences: possessing or publishing “non-public” data, possessing phishing software and hacking tools, computer hacking, and money laundering.

The prosecutors claim that he laundered close to half-a-million Euros’ worth of cryptocurrency during 2022, so we’re assuming that the court considered him a flight risk, decided that if released he might be able to destroy evidence and, presumably, thought that he might try to warn others in the cybercrime forums where he’d been active to start covering their tracks, too.

Governmental breach?

Intriguingly, the investigation was triggered by the appearance on a cybercrime forum of a multi-million record stash of personal data relating to Austrian residents.

Those data records, it seems, turned out to have a common source: the company responsible for collecting radio and TV licence fees in Austria.

Austrian cops apparently went undercover to buy up a copy of the stolen data for themselves, and in the process of doing so (their investigative methods, unsurprisingly, weren’t revealed) identified an IP number that was somehow connected to the username they’d dealt with on the dark web.

That IP number led to Amsterdam in the Netherlands, where the Dutch police took the investigation further.

As the Dutch Ministry writes:

The team has strong indications that the suspect was operating under that user name and that he had, for a long time, been offering non-public personal data – including patient data from medical records – on the forum for payment under that name. […]

With the theft of large amounts of digital data, combining different databases and trading access to this data, more and more criminals know where a person lives, performs bank transactions, what car they have, what their password is, what phone numbers they have, where they work, go to school etc. Where it used to be necessary to observe people for weeks to identify the right victim, now a push of a button suffices.

What next?

We’ll let you know if and when we learn more about this case.

We know for sure that the Dutch police and prosecutors are not going to lose interest, because the Ministry concludes its annoucement with these words:

This kind of criminal activity not only grossly violates the privacy of millions of people but also causes financial damage to individuals and businesses. Police and prosecutors are committed to fighting this complex form of crime by detecting and prosecuting cybercriminals.

But we can’t help wondering whether the Austrian radio and TV licence fee collection company might attract the interest of investigators of different sort, this time from the Austrian data protection regulators rather than the police.

Although companies that suffer breaches are undeniably cybercrime victims themselves, they sometimes end up in legal trouble of their own if the regulator forms the opinion that they could and should have done more to protect their customers.

After all, as the Dutch prosecutors point out, it is the individuals whose data actually gets stolen who are the primary victims here.