“For criminals, this is super useful information,” said McAfee security researcher John Fokker, who investigated online crime and organized crime with the police.
The leak was at the company RDC, which, for example, offers garages the option of automatically emailing customers when it is time for their MOT inspection. The company has received some of the information from the National Road Transport Agency (RDW). This body keeps the vehicle administration up to date.
How exactly the data was stolen is a mystery. After the NOS had informed the company that data was being offered for sale, it started an investigation and recognized the stolen data. “The investigation is still in full swing. We have already reported to the Dutch Data Protection Authority,” said a spokesperson for RDC.
This concerns older data: it may therefore be that it was stolen longer ago, but is only now being offered. The company says it is not aware of a recent leak.
Prominents the victim
“Gangs of criminals that get their hands on this data can now see where expensive cars are with one click of a button,” says security researcher Fokker. “They don’t have to go out on the street anymore.” The large amount of personal details can also be interesting for internet scammers, in order to be able to approach people in a more targeted and personal way.
Person-centered attacks can now also become easier. Various prominent figures can be found in the dataset, including a party leader in the House of Representatives. “You now know where they live and what car they drive,” says Fokker.
For $ 35,000
The data appeared on the hacker forum this weekend; the seller said he wanted $ 35,000 for the data. Some of the data has been publicly posted on the internet. The NOS also approached the internet criminals and received the data of 58,000 Amsterdammers with a car or motorcycle. This involved 54,000 unique license plates.
This is partly outdated data, including cars that are no longer in use. But although the license plate may now be in a different name, for example the home address, e-mail address or telephone number can still be correct.
It even contains details of cars that were at a particular garage more than ten years ago. “You may wonder why that was not already erased years ago,” says Fokker. “It is really dangerous to keep this kind of data in the same place for years.”
Under strict conditions, RDC receives data from the RDW, such as information about the expiry date of MOT inspections and rough information about the owners of cars, such as the numbers of the postcode and year of birth. Whether that is unsettled is not known. “There is contact with RDC and the consequences are being discussed”, says the RDW.
More often mega data breaches
Last month there was a similar data leak: the data was stolen from people who bought tickets for museums and zoos through the company Ticketcounter, for example. This also involved an unknown number of address data.
According to the Dutch Data Protection Authority, there were more such ‘mega-data leaks’ in 2020, with the data of more than 100,000 people being exposed. In 2019 there were 68, but already 76 last year. At least 10,000 people were involved in 257 data leaks.