Dutch COVID-19 patient and testing data sold on the criminal underground

Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground.

The arrests came after an investigation by RTL Nieuws reporter Daniel Verlaan who discovered ads for Dutch citizen data online, advertised on instant messaging apps like Telegram, Snapchat, and Wickr.

The ads consisted of photos of computer screens listing data of one or more Dutch citizens.

The reporter said he tracked down the screengrabs to two IT systems used by the Dutch Municipal Health Service (GGD) — namely CoronIT, which contains details about Dutch citizens who took a COVID-19 test, and HPzone Light, one of the DDG’s contact-tracing systems.

Verlaan said the data had been sold online for months for prices ranging from €30 to €50 per person.

Buyers would receive details such as home addresses, emails, telephone numbers, dates of birth, and a person’s BSN identifier (Dutch social security number).

Two men arrested in Amsterdam within a day

In a press release today, Dutch police said they started an investigation last week when they learned of the ads and arrested two suspects within 24 hours of the complaint.

Both men were arrested in Amsterdam on Friday, and were identified as a 21-year-old man from the city of Heiloo and a 23-year-old man from the city of Alblasserdam. Their homes were also searched, and their computers seized, police said.

According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases.

Source: Dutch COVID-19 patient data sold on the criminal underground | ZDNet

It turns out you can buy searched subsets of the information, eg people from Amsterdam or search by name.

Millions of people – basically everyone who’d ever had a corona test – were affected.

Original sauce: Illegale handel in privégegevens miljoenen Nederlanders uit coronasystemen GGD (RTL news)

It also turns out that the GGD was warned repeatedly of their poor security measures over the years and nothing was done about it. Andre Rouwvoet, the boss of the GGD was also warned and says it’s one of those things that couldn’t be helped. This is simply not true. The most obvious questions are:

  1. Why wasn’t the data deleted after no longer being relevant (it’s kept  for traceability of other people exposed and so loses relevance after 10 – 14 days)
  2. Why could helpdesk people access all of this huge database?
  3. Why wasn’t there a system op alarms in place to shout out when people were bulk exporting data?


Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft