Dutch police have arrested two Public Health Department (GGD) workers for allegedly stealing information on COVID-19 patients and offering to sell it online to various cybercriminals.
The arrests resulted from a police investigation after RTL Nieuws, a local media outlet, discovered personal information from two GGD systems, storing coronavirus patient information, was being sold on instant messaging apps such as Telegram.
Police said the GGD reported personal data theft from its systems on January 22.
“The cybercrime team of the Central Netherlands police immediately started an investigation,” the police report reads. “This investigation soon led to two employees of the GGD call center. The suspects were both in Amsterdam on Saturday evening, where they were arrested and taken to a cell. It concerns a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam. The men’s homes were searched; computers have been seized.”
The investigation is ongoing, and authorities have not ruled out additional arrests. The initial police report states that names, date of birth, and address were among personal information put up for sale by the two suspects.
However, the RTL Nieuws investigation revealed that the private data had been offered for sale in large chat groups, including Snapchat and Wickr for months. Some posts provide look-up services for specific individuals that range between 30 and 50 euros.
“You will receive the home and email address and telephone and social security number from someone,” RTL Nieuws explained. “Other accounts offer large datasets containing the private data of tens of thousands of Dutch people. Criminals charge thousands of euros for this because it is relatively unique that social security numbers are sold on such a large scale.”
The data theft and illegal trade of information has obliged the GGD to enforce additional security measures, requiring each employee to sign a confidentiality agreement and submit a Certificate of Good Conduct. The public health service also ensured that remote workers will be thoroughly monitored once system upgrades are made.
The security incident could also have serious legal and financial consequences for the GGD. “This is very bad and may be a serious data breach,” the Dutch Data Protection Authority said. “The AP immediately demanded clarification from the GGD. This data includes name, address, place of residence and telephone numbers and also BSNs: all current and in large quantities. That is very valuable.”