On Wednesday, Austrian police announced the arrest of a hacker in the Netherlands for selling the personal information of almost everyone living in Austria. The investigation involved collaboration between authorities in multiple countries over two years. The unnamed 25-year-old Dutch suspect allegedly listed a dataset for sale online containing the names, addresses, genders, and dates of birth of nine million Austrians – virtually the country’s entire population. Reuters notes that police arrested the man in November but held off announcing it pending an ongoing international investigation that started with a data breach in 2020. The hacker didn’t acquire the data using malware. Austrian newspaper Die Presse writes that he merely seized upon a mistake someone made during a routine IT operation.
When the Gebühren Info Service (GIS), which handles Austrian broadcasting fees, hired a Vienna subcontractor to restructure its data in 2020, one of the company’s employees accidentally used the service’s real information during a test. The GIS reported the data theft in May 2020. The hacker may have accessed it using a search engine, although it was not Google. As a result, the personal data of millions of Australian citizens was left publicly accessible online for about a week. When someone named “DataBox” on Raidforum.com offered to sell registry information on millions of Austrians in New Zealand, NZ authorities bought it for a four-figure sum to confirm that it came from the GIS breach. The data’s composition style matched GIS record-keeping. Police identified the suspect after securing a server in Germany from which they allegedly downloaded the GIS’s data. The New Zealand bitcoin transaction also pointed authorities to the hacker, who the police suspected of cybercrimes. When Dutch police arrested the suspect in Amsterdam, they found 130,000 data banks containing personal information on people in Thailand, China, the Netherlands, Columbia, and the UK, including medical records.