Dutch COVID-19 Patient Data Sold on the Criminal Underground

Dutch police arrested two individuals late last week for allegedly selling data from the Dutch health ministry's COVID-19 systems on the criminal underground. From a report: The arrests came after an investigation by RTL Nieuws reporter Daniel Verlaan who discovered ads for Dutch citizen data online, advertised on instant messaging apps like Telegram, Snapchat, and Wickr. The ads consisted of photos of computer screens listing data of one or more Dutch citizens. The reporter said he tracked down the screengrabs to two IT systems used by the Dutch Municipal Health Service (GGD) -- namely CoronIT, which contains details about Dutch citizens who took a COVID-19 test, and HPzone Light, one of the DDG's contact-tracing systems. Verlaan said the data had been sold online for months for prices ranging from $36 to $60 per person. Buyers would receive details such as home addresses, emails, telephone numbers, dates of birth, and a person's BSN identifier (Dutch social security number).

They were warned months ago...

[Halueth]

And they were warned something like this would happen if you allow unrestricted access on 16 September last year. https://twitter.com/gertvdijk/... [twitter.com]

Re:

[alvinrod]

It really doesn't matter because nothing is ultimately secure. Any kind of large database of information is vulnerable and one that's exposed to the larger internet is vulnerable to the whole world which simply speeds up the process. There's obviously a lot of good that can come from such databases, but plenty of evil as well. I'd like to think that if the founders of the US had imagined such a thing could have every possibly existed that they wouldn't have expressly forbidden the government from doing it.

Re:

[JaredOfEuropa]

This has come up before in NL, for instance with the national police database. Officers got caught pulling files on celebrities, or digging for dirt on ex-lovers. 2 lessons they should have learned from there, but didn't: 1) Audit all access. 2) If it is impractical to implement fine grained access control, at least monitor the audit log for irregular access patterns.

Re:

[xonen]

True, and likely none of this was done. Actually test locations were hindered by 'IT problems', which was in the news on occasion. Which hints that whatever information system they used, it was quickly hacked together.

The situation totally allows fine-grained controls, at any location no further information was needed than the appointments for that day, even within a certain time frame. And the team taking appointments by phone only has to verify information any caller gives, and do not have to be able to l

Re:

[MtHuurne]

That perfect security is impossible doesn't mean that nothing can be done to secure data. The news item linked in the grandparent post states that call center operators could access data from arbitrary people, that they didn't need for their job, without consequences.

I can understand that the GGDs were taken by surprise during the first wave of the pandemic. But to me as an outsider it looks like the improvised solutions they hurriedly set up in March/April were never replaced by secure and robust systems l

Re:

[Halueth]

There is a difference if something isn't entirely secure, or the created front-end is lacking basic measures like compartmentalized access etc. Even the employees of the Dutch Municipal Health Service (GGD) were surprised they could see data where other institutions didn't allow it access to such data. The party creating it did so on a deadline and hoping to be the first to market. This is what you get when people cut corners. No excuses imho, some stuff should be a mindset, not a feature.

Criminal underground

[sosume]

Is that criminal underground a special kind of subway where only criminals can get a ride? Or is it located in the sewers below the city where all the criminals live? Questions ..

Hard to believe has nt happened before

[AlexHilbertRyan]

.... in NL.