This is evident from research by RTL Nieuws, which confronted the GGD last Friday with the illegal trade in personal data from their systems. The cybercrime team of the Central Netherlands police immediately started an investigation.
It concerns trade in data from two corona systems of the GGD: CoronIT, which contains the private data of Dutch people who have taken a corona test, and HPzone Light, the system for source and contact research of the GGD.
“The trade in this data is deeply shocking,” says Professor of ICT & Law Frederik Zuiderveen Borgesius of Radboud University. “The information can be misused for, among other things, identity fraud, phishing and stalking. Because there are also medical data in the systems, it is extra important to protect this properly.”
Between 30 and 50 euros
On chat services such as Telegram, Snapchat and Wickr, private data from the GGD systems has been offered for sale by dozens of accounts and in various large chat groups for months. Some accounts offer to look up the details of a specific person. That costs between 30 and 50 euros and then you will receive the home and email address and telephone and citizen service number from someone.
Other accounts offer large datasets containing the private data of many tens of thousands of Dutch people. Criminals charge thousands of euros for this because it is relatively unique that social security numbers are sold on such a large scale. A social security number is very sensitive and can be misused for identity fraud.
Sales of datasets
RTL Nieuws recently requested the data of a number of people from illegal traders. The parties involved have given their prior consent for this. In all cases, we received the correct residential address, telephone number, e-mail address and citizen service number. Payment was made via Bitcoin or Paysafecard payment card.
RTL Nieuws has also inspected a dataset of hundreds of Dutch people, obtained illegally from the GGD’s source and contact investigation system. According to the provider, this dataset was a foretaste of the many thousands to tens of thousands of people he could provide.
Specific datasets are even supplied on request, for example only people from Amsterdam or only people over 50. One of the sellers says the data is in high demand. “I eat well brother,” he says in a chat, referring to how he makes a lot of money selling this data.
CoronIT and HPzone Light
The data comes from two GGD systems: CoronIT and HPzone Light. CoronIT is the online registration system for corona tests to which some 26,000 GGD employees and call center employees of the test line have access. It is also possible to request test appointments and results, but this is not actively advertised by the accounts.
HPzone Light is the information system for source and contact research of the GGD. It contains the private details of all corona-infected Dutch people. The GGD does not know how many people have access to it, but it concerns employees of the Red Cross, the ANWB and call center employees of Teleperformance.
Due to corona, many employees work from home and according to sources it is easier to pass on data to criminals.
The data is obtained by bribed employees of the GGD and other organizations that have access to the systems. Criminals are also actively looking for people who can access CoronIT or HPzone Light and pay them for credentials to these systems.
The malicious employees often receive an amount per person whose data they pass on. This sometimes amounts to hundreds of euros per day, says one of the intermediaries – a considerable amount for a call center employee who earns an average of around 11 euros per hour.
John van den Heuvel and Peter R. de Vries
The accounts advertise with photos of private data of celebrities, including a number of popular influencers and the two best-known crime journalists in the Netherlands: John van den Heuvel and Peter R. de Vries, the former of which has been protected by the police for years.
John van den Heuvel calls it “disconcerting” that his private data are distributed in this way: “It is painful that the GGD cannot arrange this properly. I do not have the illusion that criminals cannot find my home address, but it is made very easy. “
“This is very sensitive data that people with malicious intentions can make serious abuse,” says Peter R. de Vries. “The government is seriously lacking in this, because they have a duty to properly seal that information.”
Both Van den Heuvel and De Vries were not aware that their private data is being shared by criminals in this way. De Vries calls it ‘significant’ that he has not heard from the GGD and has been informed by RTL News.
Measures by GGD
The GGD was not aware of the illegal data trade from their systems. “We are responsible for the security of our systems”, says André Rouvoet, chairman of the GGD GHOR Netherlands. “Everyone who is tested by us must be able to rely on it. After reporting by RTL News, the GGD ‘immediately took further measures.
The GGD states that employees must submit a Certificate of Good Conduct (VOG) and sign a confidentiality agreement. Random checks are also carried out among employees. In recent times, dozens of people have been checked and fired, according to the GGD.
In addition, the GGD announces that it will “further scale up” the monitoring of the systems. At the end of March, the systems must be checked “automatically and continuously”.
Two men aged 21 and 23 have been arrested
The police arrested two men in Amsterdam on Saturday evening who are suspected of illegal data trade. These are a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam, and both work in the call center of the GGD. The homes of the men have been searched and computers seized.
“Stealing and selling or reselling personal data is a serious crime,” said Jeroen Niessen of the cybercrime team of the Central Netherlands police. The police and the Public Prosecution Service are on top of this. The GGD reported the data theft to us last Friday. We immediately started a major investigation and arrested two people in this case within 24 hours. More arrests are certainly not ruled out. The investigation continues, including into the extent of the data theft. “
Both men are expected to be brought before the examining magistrate tomorrow.
The Dutch Data Protection Authority demands clarification
“This is very bad and may be a serious data breach,” said a spokesperson for the Dutch Data Protection Authority. “The AP immediately demanded clarification from the GGD. This data includes name, address, place of residence and telephone numbers and also BSNs: all current and in large quantities. That is very valuable.
The Dutch Data Protection Authority reports that an organization can be negligent if it does not sufficiently secure the data in its systems: “Then you risk not only a fine from the AP, but also mass claims from victims, for example.”
It is not the first scandal involving private data from corona systems. Last week, Nieuwsuur revealed a data breach at the commercial testing company U-Diagnostics through which the personal data of tens of thousands of Dutch people could be viewed. In November last year, the AD reported that GGD employees are secretly peeking into the files of Dutch celebrities, including those of the Rotterdam mayor Ahmed Aboutaleb.
These privacy scandals can ensure that fewer people dare to have themselves tested. “This definitely has consequences for people’s willingness to be tested,” says professor of health law Martin Buijsen of Erasmus University Rotterdam. “If you know that that data can be sold on to criminals, you think twice before doing such a test.”
What can you do?
The GGD is responsible for the security of your private data. If these are leaked or resold, they could be used by criminals for identity fraud or scams. It is therefore important to be alert to scams via email, SMS and WhatsApp, among other things. It is also wise to keep a close eye on the mail and to pay attention to strange or unexpected mail, and to check your bank statements carefully.