Exclusive
Illegal trade in private data of millions of Dutch citizens from corona systems GGD
January 25, 2021 15:50 - Updated: 3 hours 25 minutes ago -
Daniël Verlaan
An employee of the source and contact investigation at the GGD
There is a large-scale trade in millions of addresses, telephone and social security numbers, taken from the two main corona systems of the GGD [Municipal Health Service]. Police arrested two people this weekend who are suspected of this illegal data trade.
This is according to an investigation by RTL Nieuws, which confronted the GGD last Friday with the illegal trade in personal data from their systems. The cybercrime-team of police region Central Netherlands then immediately started an investigation.
It concerns the trade in data from two corona systems of the GGD:
CoronIT, which contains the private data of Dutch citizens who have taken a corona test, and
HPzone Light, the system for source and contact research of the GGD.
"The trade in this data is deeply shocking," responds Professor of ICT & Law Frederik Zuiderveen Borgesius of Radboud University. "The information can be misused for, among other things, identity fraud, phishing and stalking. Because there is also medical data in the systems, it is precisely extra important to protect this properly."
Between 30 and 50 euros
On chat services like Telegram, Snapchat and Wickr, private data from the GGD systems has been offered for sale for months by dozens of accounts and in several large chat groups. Some accounts offer to look up the data of a specific person. This costs between 30 and 50 euros and then you receive the home and email address, and telephone and social security number of someone.
Other accounts offer large data-sets containing the private details of tens of thousands of Dutch people. Criminals ask thousands of euros for this because it is relatively unique for social security numbers to be sold on such a large scale. A social security number is very sensitive and can be misused for identity fraud.
One of the people RTL News looked up in CoronIT. For privacy reasons, we blacked out a lot of data.
Sale of data-sets
RTL Nieuws recently requested the data of a number of individuals from illegal traders. The individuals concerned gave their permission for this in advance. In all cases we received the correct residential address, telephone number, email address and social security number. The payment was made via Bitcoin or payment card Paysafecard.
RTL Nieuws also inspected a data-set of hundreds of Dutch citizens, illegally obtained from the source and contact research system of the GGD. According to the provider, this data-set was a preview of the many thousands to tens of thousands of individuals he could provide.
Specific data-sets are even supplied on request, for example only people from Amsterdam or only people over 50. One of the vendors says that the data is in high demand. "I eat good brother," he says in a chat, referring to that he makes a lot of money selling this data.
An overview of individuals in HPzone Light, the source and contact investigation system
CoronIT and HPzone Light
The data comes from two GGD systems: CoronIT and HPzone Light. CoronIT is the online registration system for corona tests to which some 26,000 GGD staff and call center staff of the test phoneline have access to. It is also possible to request test appointments and results, but this is not actively advertised by the accounts.
HPzone Light is the information system for the source and contact investigation of the GGD. It contains the private data of all Dutch people infected with corona. The GGD doesn't know how many people have access to it, but they include employees of the Red Cross, the ANWB and call center employees of Teleperformance.
Because of corona, many employees work at home and, according to sources, it is easier to pass on data to criminals.
Tens of thousands of people have access to systems like CoronIT and HPzone Light (above)
The data is obtained by bribed employees of the GGD and other organizations that have access to the systems. Criminals are also actively looking for people who have access to CoronIT or HPzone Light, and pay them for login details to these systems.
The dishonest employees often receive an amount for each person whose data they pass on. This sometimes amounts to hundreds of euros per day, according to one of the intermediaries - a hefty sum for a call center employee who earns an average of about 11 euros per hour.
John van den Heuvel and Peter R. de Vries
The accounts advertise with photos of private data of BN'ers [Bekende Nederlanders, i.e. national celebrities], including a number of popular influencers and the two best-known crime journalists in the Netherlands: John van den Heuvel and Peter R. de Vries, the former of whom has been protected by the police for years.
John van den Heuvel calls it "disconcerting" that his private data is distributed in this way: "It is painful that the GGD cannot regulate this properly. I have no illusions that criminals cannot find out my home address, but it is made very easy for them this way."
"It's about very sensitive data that people with bad intentions can misuse," Peter R. de Vries says. "The government is failing badly in this, because they have a duty to protect these data properly.
Both Van den Heuvel and De Vries were not aware that their private information was shared by criminals in this way. De Vries calls it "telling" that he has not heard anything from the GGD and was informed by RTL Nieuws.
The private data of John van den Heuvel and Peter R. de Vries are exchanged between criminals
Measures taken by GGD
The GGD was not aware of the illegal data trade from their systems. "We are responsible for the security of our systems," says André Rouvoet, national chairman of the GGD GHOR Nederland. "Anyone who gets tested with us should be able to rely on that. After being reported by RTL Nieuws, the GGD 'immediately took further measures'.
The GGD states that employees must submit a Certificate of Good Conduct (VOG) and sign a confidentiality agreement. Random checks are also carried out among employees. Recently dozens of people were checked and fired, says the GGD.
In addition, the GGD says it will "further scale up" the monitoring of the systems. By the end of March the systems should be checked "automatically and continuously".
This is what the CoronIT system looks like
Two men of 21 and 23 arrested
Police arrested two men suspected of illegal data trafficking in Amsterdam on Saturday evening. They are a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam, and both work in the call center of the GGD. The homes of the men were searched and computers confiscated.
"Stealing and selling or reselling personal data is a serious crime," informed Jeroen Niessen of the cybercrime-team of the Central Netherlands Police. "Police and the Public Prosecutor's Office are on top of this. The GGD reported the data theft to us last Friday. We immediately started a major investigation and have arrested two people in this case within 24 hours. More arrests are certainly not excluded. The investigation continues, including into the extent of the data theft."
Both men are expected to be brought before the examining magistrate tomorrow.
Personal Data Authority demands clarification
"This is very bad and is potentially a serious data breach," a spokesperson for the Personal Data Authority announced. "The PDA has immediately demanded clarification from the GGD. This data contains name, address, place of residence and telephone numbers and also social security numbers: all actual and in large quantities. That's worth a lot."
The Personal Data Authority reports that an organization can be negligent if it does not adequately secure the data in its systems: "Then you risk not only a fine from the PDA, but also, for example, mass claims from victims."
Private data is resold in large numbers to criminals
Privacy scandals
This is not the first scandal involving private data from corona systems. Last week Nieuwsuur revealed a data leak at the commercial testing company U-Diagnostics through which the personal data of tens of thousands of Dutch citizens could be viewed. In November last year the AD reported that Public Health Service employees secretly peeked into the files of Dutch celebrities, including that of Rotterdam's mayor Ahmed Aboutaleb.
These privacy scandals could cause fewer people to dare to get tested. "This definitely has an impact on people's willingness to get tested," argues professor of health law Martin Buijsen of Erasmus University Rotterdam. "If you know that that data can be sold on to criminals you will think twice before taking such a test."
What can YOU do?
The Public Health Service is responsible for the security of your private information. If these are leaked or resold, they can be misused by criminals for identity fraud or scams. It is therefore important to be alert to scams such as email, text messages and WhatsApp. It is also wise to keep a close eye on the mail and watch out for strange or unexpected mail, and to check your bank statements carefully.
Translated with
www.DeepL.com/Translator (free version)
