Over eight-hundred thousand Dutch citizens’ and residents’ personally identifiable information (PII) just dropped a few hours ago for sale on an illegal data marketplace, including:
- Email Addresses
- Full Names
- Street addresses (with full postal code/city details)
- Phone Number
- Date of Birth
Obviously, this is bad. It can enable identity theft, phishing scams, and social engineering attacks. Criminals can use this information to impersonate victims, access financial accounts, or create fraudulent accounts in their name. Additionally, it increases the risk of targeted scams or harassment.
As of right now, I don’t know where it came from. A look at some of the sample data indicates that a number of the email addresses could have come from the February 2019 Verifications.io breach, so this could be a bogus leak, or “padding”.
However, I think the more likely scenario is that this is just the second time many of these customers have had their data leaked.
The Netherlands is becoming a pretty hot target for it.
This incident marks the latest in a series of breaches exposing the personal information of millions of Dutch citizens:
- On September 14th, a call center’s database was reportedly breached, exposing 300,000 landline phone numbers and addresses.
- On September 10th, a database containing over 14,000 employee records from a prominent Dutch technology manufacturer was allegedly leaked.
- On September 7th, access credentials for over 1,300 mailboxes and endpoint devices linked to an unidentified Dutch governmental organization were reportedly sold on a criminal data marketplace.
- On August 17th, data from over 9 million WhatsApp users with Dutch phone numbers was reportedly put up for sale. This came just hours after another leak involving 6.2 million individuals, which included surnames, email addresses, birth dates, residences, gender markers, and phone numbers.Yes, this is what 99 percent of Breach Forums posts look like.
However, the biggest alarm was sounded on September 26th. Similar PII to the above, this time on the entire Dutch police force (roughly 62,000 entries) was leaked by a still-unknown threat actor implied to be an unidentified foreign adversary (I don’t know if I believe that).
This incident likely had a lot to do with the Dutch government’s seeming change-of-heart on encryption in the recent late September/early October EU Council votes on the matter. Encryption’s probably the best technology-based defense against such incidents (provided the entities actually do their jobs in defending citizens’ data).
Obviously, depending on how it’s accessed, encrypting data-at-rest isn’t a foolproof solution, but it definitely can’t hurt.
Stay safe out there.