COVID-19 , Governance & Risk Management , Incident & Breach Response
2 Arrested for Alleged Theft of COVID-19 Patient DataDutch Police Say Data Offered for Sale Online
Police in the Netherlands have arrested two health ministry workers for allegedly stealing COVID-19 patient data from the agency’s systems and offering it for sale online.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The arrest on Jan. 23 of the two Dutch Municipal Health Service, or GGD Amsterdam, workers comes on the heels of a December cyberattack on the Netherlands-based RTL Nieuws, last week found personal data from the GGD systems offered for sale on chat services, including Telegram, Snapchat and Wickr.
The cybercrime team of the Central Netherlands Police launched an investigation. On Saturday, they arrested a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam who both work in the GGD call center, RTK Nieuws reports.
Both workers’ homes have been searched and their computers have been seized, Netherland police said in a statement Monday, adding that more arrests in the incident were “not excluded.”
“Stealing and selling or reselling personal data is a serious crime,” the police statement said.
Personal data, including names, addresses and dates of birth, was among the information offered for sale, police said. RTL Nieuws reported that Netherlands Social Security numbers were also offered.
“On chat services … private data from the GGD systems has been offered for sale for months by dozens of accounts and in several large chat groups,” RTL Nieuws reports. “Some accounts offer to look up a specific person's data. That costs between 30 and 50 euros ($36 and $61), and then you receive … the address and phone and Social Security number.”
Photos of Data
The stolen GGD data comes from two of its COVID-19 systems: CoronIT, which contains the private data of Dutch individuals who have had a coronavirus test, and HPzone Light, a COVID-19 source and contact tracking system, RTL Nieuws reports.
RTL Nieuws also reports that the online ads for the information included photos of computer screens listing data for Dutch citizens.
The Netherlands police statement makes no mention of how many individuals may have had their data breached in the GGD incident. But RTL Nieuws reports that it appears “millions of address data, telephone and Social Security numbers are traded on a large scale, originating from the GGD's two main corona systems.”
GGD did not immediately respond to Information Security Media Group’s request for comment.
GGD Offers FAQ
In a FAQ about the incident on its website, GGD says that it checks in various ways how its employees handle the information in the ministry’s systems. “And that has previously led to the discovery of irregularities and to the taking of measures. In addition, we protect ourselves against attacks on our systems from outside.”
The GGD also says it has in place control mechanisms to prevent abuse of its systems. They include requiring new employees to provide a certificate of conduct and to sign a nondisclosure agreement.
The health ministry says it expects to implement enhanced monitoring of the use of its systems by the end of March.
Due to the ongoing investigation, GCD says it cannot provide comment about the criminal case. “We expect this criminal action to raise questions about the security of testing and the way the GGDs handle the personal data. Testing is a hugely important link in fighting the virus.”
The Dutch health ministry data leak serves as a reminder of the threats posed by malicious insiders.
“It is crucial for organizations to ensure that their staff are operating with proper actions to help keep their data, information and systems secure,” says Stanley Mierzwa, director of the Center for Cybersecurity at Kean University in New Jersey.
The Dutch incident, he says, helps “to draw greater attention to ethics, particularly for those parties tasked with access to important knowledge, data and information in relation to the current and ongoing COVID-19 pandemic response. With cybersecurity incidents continuing, placing greater emphasis on ethical responsibilities may be a useful reminder.”
Van Dyke of Breach Clarity notes that preventing users from taking photos of sensitive data on computer screens, including while working from home, is also a difficult challenge.
“Having said that, it’s important for organizations to always have ‘watermarking’ of every screen or printout of data, so that when pictures are recovered, they can be more easily traced back to the source and perpetrator,” he notes.