A hacker in the Netherlands stole nine million Austrian registration data and offered it for sale on the Internet. The theft of data in the GIS environment itself was already known in May 2020, and now it has also been clarified: last November, a “very large fish” was caught in the Netherlands, which was probably responsible for the theft, as experts from the Department of Federal Criminal Police (BK) told reporters today.
Virtually all reporting data affected
The hacker obtained the data through a glitch at a Viennese IT company that GIS hired to restructure its database. Virtually all Austrian registration data was affected, namely names, dates of birth and registration addresses of all citizens, said Klaus Mits, department head of the Cybercriminal Police Office at BK.
The GIS had this data and a second construction-related database to track any transmission rate evasion. They hired a renowned Viennese IT company to restructure these databases and handed over the data to the company. BK experts emphasized that this is a fairly common procedure.
Sequence errors in subcontractors
The error must have happened to the subcontractor: an employee of the company may have used the real GIS registration data for a test, and this database was available on the Internet without access protection, according to estimates by BK specialists about a year ago. week. “The perpetrator found the data with a search engine,” said a BK investigator. Addendum: “Of course, you can’t find the data via Google.”
Operation Covert BK brought clarification of the ongoing case
BK became aware of the offer via New Zealand that an initially unknown person had made under the pseudonym “DataBox” on the hacker forum Raidforum.com. The BK emphasized that there was therefore good cooperation with the New Zealand authorities. The investigators then bought the data – secretly – for an average value of four figures and thus managed to clarify the case.
In several rather extensive investigative steps – including securing a server in Germany from which the perpetrator downloaded data – the identity of the man, a 25-year-old Dutch national, was determined. The investigators also uncovered the payment – the data money was transferred in cryptocurrency. “Each Bitcoin transaction, for example, is openly recognizable. The trick is to take this internet data to real people”, explains the BK expert.
The fall drew wider circles
The Federal Criminal Police Office contacted the Dutch authorities. The further clarification of the case took place in close cooperation and had a far greater impact than the sale of the Austrian registration data. Because the 25-year-old apparently had around 130,000 databases in his “portfolio”. In addition to Austria, data came from the Netherlands, Thailand, China, Colombia and Great Britain, among others. Apparently, he also offered patient data – from other mentioned nations – as the Dutch authorities announced in a broadcast on Wednesday.
Interior Minister Gerhard Karner (ÖVP) and BK Director Andreas Holzer congratulated the investigators: “Fastly growing cybercrime will continue to be fought with all vehemence and new methods in the future,” said Karner. “This case shows how important and necessary investigations in cyberspace are. Our investigators have the know-how and no perpetrator should be sure they can disappear into the anonymity of the internet,” emphasized Holzer.