The Dutch police recently apprehended three additional suspects in what is considered one of the most significant data extortion cases to date. These suspects, aged between 18 and 21, were reportedly involved in extorting companies and selling stolen data to other criminal organizations.
During a two-year investigation, the police discovered that the suspects targeted thousands of businesses, including educational institutions, online shops, ticket vendors, and critical infrastructure and service providers.
The three men, along with a 25-year-old who was arrested last year, are accused of illegally accessing computer systems, stealing data, extortion and blackmail, and money laundering. The suspect who was apprehended last year was allegedly involved in a data theft incident involving Geburen Info Service GmbH (GIS), which is responsible for collecting television license fees on behalf of the Austrian government. It is believed that the dataset from that breach contains information on nearly every Austrian citizen.
Unfortunately, one of the arrested individuals was also a member of the Dutch Institute for Vulnerability Disclosure (DIVD), a group of volunteer cybercrime fighters. You may recall hearing about them in the 2021 Lock and Code episode about “The failed race to fix Kaseya VSA, with Victor Gevers.”
It is unclear whether this suspect worked there to ease his conscience or with the intention of gaining access to information he could use for illegal activities. Nevertheless, it is evident that he alternated between wearing his white and black hats. According to a DIVD statement, there is no indication that he was able to abuse his position, but his access to DIVD systems has been terminated.
As expected from criminals willing to extort businesses, they were not trustworthy. Some of the data they held for ransom was sold to other criminals even after the ransom demand was paid.
One of the group’s members operated a Telegram channel where he offered to sell personal and address information based on license plates. This allowed organized criminals to quickly find out details about a target.
This data would also be valuable for a range of other crimes, including phishing attacks, credit card fraud, or any other form of fraud where knowledge of the victim gives the criminal an advantage.
The cybercrime unit responsible for the arrests also cautioned that criminals are becoming more adept at refining this stolen data and discovering new ways to use it.
It is worth reflecting on the harm caused by a criminal enterprise like this. The damage extends beyond the companies forced to pay the ransom. There are significant costs associated with restoring compromised systems and conducting forensic investigations. There is also emotional damage to the owners of the stolen data and to those who feel responsible for allowing the breach to occur—imagine being the person who clicked on a link that initiated an attack.
In an interview, the CEO of the online ticket vendor stated that he felt intimidated by the criminals who informed him that they knew “who he was married to.” He also expressed gratitude for working with the police. By negotiating the ransom, he was able to buy some time. And with the assistance of Troy Hunt from HaveIBeenPwned, he was able to determine the extent of the stolen data and notify affected customers himself.
The individuals whose personal information has been acquired by these malevolent actors (which encompasses the entirety of the Austrian and Dutch populace) need to remain vigilant against unexpected phone calls from scammers falsely identifying themselves as representatives from their financial institution, as well as phishing emails and other fraudulent activities.
Those who have been impacted by this data breach must take the following precautions:
- Consult the guidance provided by the vendor. Since every data breach is unique, it is critical to consult with the vendor to ascertain the nature of the breach and comply with any specific instructions provided.
- Change your passwords. By changing your passwords, you can render a hacked password ineffective. Choose a robust password that is not used elsewhere. It is preferable to have a password manager generate one for you.
- Activate two-factor authentication. Whenever possible, utilize a FIDO2 two-factor authentication device. Certain types of two-factor authentication (2FA) can be as susceptible to phishing as a password. 2FA that relies on a FIDO2 device is immune to phishing.
- Remain cautious of fake vendors. The thieves may contact you while masquerading as a vendor. Verify if the vendor is contacting victims by visiting their website, and confirm any communications via a distinct communication channel.
- Stop and analyze. Phishing attacks frequently impersonate individuals or brands you are familiar with and employ themes that necessitate urgency, such as missed deliveries, account suspensions, and security alerts.