Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

Dutch COVID-19 patient data sold on the criminal underground

Two individuals have been arrested in the Netherlands last week for selling data from Dutch COVID-19 systems on Telegram, Snapchat and Wickr.

rtl-image-2.jpg

Image via RTL Nieuws

Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry's COVID-19 systems on the criminal underground.

ZDNet Recommends

Face masks for businesses and professionals: Where to buy online

Here are some non-medical face masks you can wear back to work.

Read More

The arrests came after an investigation by RTL Nieuws reporter Daniel Verlaan who discovered ads for Dutch citizen data online, advertised on instant messaging apps like Telegram, Snapchat, and Wickr.

The ads consisted of photos of computer screens listing data of one or more Dutch citizens.

The reporter said he tracked down the screengrabs to two IT systems used by the Dutch Municipal Health Service (GGD) — namely CoronIT, which contains details about Dutch citizens who took a COVID-19 test, and HPzone Light, one of the DDG's contact-tracing systems.

Verlaan said the data had been sold online for months for prices ranging from €30 to €50 per person.

Buyers would receive details such as home addresses, emails, telephone numbers, dates of birth, and a person's BSN identifier (Dutch social security number).

Two men arrested in Amsterdam within a day

In a press release today, Dutch police said they started an investigation last week when they learned of the ads and arrested two suspects within 24 hours of the complaint.

Both men were arrested in Amsterdam on Friday, and were identified as a 21-year-old man from the city of Heiloo and a 23-year-old man from the city of Alblasserdam. Their homes were also searched, and their computers seized, police said.

According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases.

The names of the two suspects, scheduled to appear in court tomorrow, were not released; in accordance with Dutch law.

"Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home," Victor Gevers, Chair of the Dutch Institute for Vulnerability Disclosure, told ZDNet in an interview today.

"We have seen this before in the Netherlands with influencers and VIPs.

"The BSN number (Dutch social security number) is important because this makes financial fraud easier for criminals," Gevers added.

"But also for blackmailing purposes. Especially when they know where you live."