Dutch man arrested for stealing data on nearly every Austrian citizen

Also holds data from Italy, the Netherlands and Colombia

An employee of an IT firm in Vienna apparently left the data online after doing work for Gebühren Info Service GmbH

Image:

An employee of an IT firm in Vienna apparently left the data online after doing work for Gebühren Info Service GmbH

Authorities in the Netherlands have arrested a man for collecting and attempting to sell personal information on practically every Austrian citizen.

The 25-year-old individual, whose identity has not yet been made public, was detained in an Amsterdam flat in November 2022, according to information released on Wednesday by Austria's Federal Criminal Police Office (Bundeskriminalamt/BK).

To avoid obstructing ongoing investigations, the Dutch police waited until now to make the arrest public.

According to the Austrian authorities, the man was selling a trove of data containing the full name, address, and date of birth of almost everyone in the country.

He shared the stolen data, holding over 9 million data sets, online in May 2020.

Austria has a population of around 9.1 million people.

According to police, the trove contained registration data that citizens are required to provide to authorities. The stolen data did not include any financial information.

Police have confirmed the information's authenticity. They added that because the information was available on the open internet it must be assumed it is now in the hands of criminals

The hacker offered 'similar data sets' from Colombia, the Netherlands and Italy, although no information is available about the scope of those datasets.

According to ITPro, the man took the Austrian data from a misconfigured cloud database he found via a search engine.

The attack, which targeted Gebühren Info Service GmbH (GIS), the organisation in charge of collecting the nation's TV and radio licence payments, was first identified in May 2020.

According to the BK, the GIS had recruited an IT firm in Vienna to rebuild its internal databases. The databases held information about citizen locations to help the firm track anybody trying to avoid paying a broadcast fee.

An employee apparently left a GIS database online without securing it, after using the data during a test.

The hacker eventually discovered the database through a search engine 'that wasn't Google'.

Authorities in New Zealand notified the Austrian police that someone was attempting to sell data on the online hacker hideout RaidForums (which is now defunct) under the moniker 'DataBox'.

Investigators covertly purchased the information for a 'four digit' fee.

Authorities established the perpetrator's identity when they seized a German server he was using to store the stolen data.

Austrian investigators subsequently notified Dutch authorities. They then established the hacker had obtained more material, in addition to the 9 million Austrian records, from thousands of other databases.

"The rapidly growing cybercrime will continue to be fought with all vehemence and new methods in the future," said Gerhard Karner, interior minister at the Austrian government.

"This case shows how important and necessary investigations in cyber space are. Our investigators have the know-how and no perpetrator should be sure of being able to disappear into the anonymity of the internet."