Dutch Hacker Reportedly Stole Data About Austria’s 9 Million Citizens by Using a Search Engine to Access a Misconfigured Cloud Database

The FPS Review may receive a commission if you purchase something after clicking a link in this article.

Image: Shutterstock

Austria’s Federal Criminal Police Office (Bundeskriminalamt/BK) revealed on 25 January that it has arrested a 25-year-old Dutch hacker for reportedly stealing data about nearly its entire population. ITPro reports the hacker stole data that belonged to 9 million Austrians. The organization responsible for collecting television and radio fees for Austria, the Fees Info Service (GIS), was said to be the source of the data breach. GIS announced in May 2020 that an event had occurred and that it was working with authorities on the matter.

Statement From GIS:

“As it became known today, large amounts of data may have been stolen, although it cannot be ruled out that this data came from the sphere of influence of the GIS,” said the GIS in a written statement to the APA. Managing Director Harald Kräuter emphasizes that he works together with the authorities and that he has made the GIS systems available for checks. ” As our data protection experts assure us, there were no omissions on the part of the GIS. This is also underpinned by the ISO certification of the GIS IT systems, which was renewed in February, ” emphasized Kräuter.”

Die Presse has reported that the Dutch hacker was able to obtain the data due to a glitch while a contracted Viennese IT company performed maintenance on the GIS database. It is believed that an employee accidentally left the database unprotected and accessible to the internet for about a week before it was discovered.

Machine translated from Die Presse:

“The mistake must have happened with the subcontractor: An employee of the company may have used the real registration data from the GIS for a test, and this database was available on the Internet without access protection, according to estimates by the BK specialists for about a week. “The perpetrator found the data with a search engine,” said a BK investigator.”

Soon after the data began to appear on the dark web and authorities began their investigation. They tracked the dutch hacker via bitcoin transactions who also had roughly 130,000 other databases including China, the Netherlands, Thailand, Columbia, Great Britain, and others. Interior Minister Gerhard Karner (ÖVP) and BK Director Andreas Holzer gave praise to the team for breaking the case.

“The rapidly growing cybercrime will continue to be fought with all vehemence and new methods in the future,” said Karner. “This case shows how important and necessary investigations in cyberspace are. Our investigators have the know-how and no perpetrator should be sure of being able to disappear into the anonymity of the Internet,” stressed Holzer.”

Join the discussion in The FPS Review Forums...

Discussion (5 replies)

Join Discussion →
MadMummy76
MadMummy76 👍 1

OMG, very misleading title. They didn't stole from 9 million people, they downloaded unspecified details of registered users from a government database and then resold that as lists. They don't say what personal details were actually accessible.

Also LOL at the company waving their ISO certification as proof of anything. That's the most worthless piece of burocratic toilet paper if there ever was one.

Grimlakin

All the certifications in the world don't matter if one of your steps to work on something is to EXPOSE IT FO THE FREAKIG INTERNET no matter for what length of time. What kind of idiot security team was overseeing this? How could this actually happen without ANYONE catching that they were opening up their Metadata to the internet at large even for a minute?

If someone didn't his without peer review or oversize they need to be fired and sued. If someone did this with peer review and oversize they need to be fired.

You NEVER expose internal data to the ENTIRE INTERNET for any length of time... EVER.

Peter_Brosdahl
Peter_Brosdahl 👍 2

"MadMummy76, post: 66754, member: 1298" wrote:

OMG, very misleading title


Yeah, sorry about that. I was running with a theme from the source site and I had made changes to the search description blurb but forgot to get back to the title. I just changed it.

MadMummy76
MadMummy76 👍 3

"Grimlakin, post: 66760, member: 215" wrote:

You NEVER expose internal data to the ENTIRE INTERNET for any length of time... EVER.


You never worked with stingy companies. They don't want to spend on experts. "Friedrich from accounting knows a thing or two about databases, have him work on it..."

Many government contractors work with unfiltered lists containing tons of personal data. You might as well assume it is public domain.

"Peter_Brosdahl, post: 66798, member: 87" wrote:

Yeah, sorry about that. I was running with a theme from the source site and I had made changes to the search description blurb but forgot to get back to the title. I just changed it.


It's nothing, I was blaming the source, not you.

Brian_B
Brian_B 👍 1

"MadMummy76, post: 66803, member: 1298" wrote:

You never worked with stingy companies. They don't want to spend on experts. "Friedrich from accounting knows a thing or two about XYZ, have him work on it..."


This is the story of my entire career right here.

Peter Brosdahl
As a child of the 70’s I was part of the many who became enthralled by the video arcade invasion of the 1980’s. Saving money from various odd jobs I purchased my first computer from a friend of my dad, a used Atari 400, around 1982. Eventually it would end up being a lifelong passion of upgrading and modifying equipment that, of course, led into a career in IT support.

Recent News