The Dutch National High Tech Crime Unit (NHTCU) has arrested a 17-year-old boy for allegedly accessing customer account data on servers run by mobile telecommunications company KPN in the Netherlands. He has been accused of hacking into KPN's systems on January 16, 2012, the Dutch Office of the Public Prosecutor announced. The hacker managed to gain full access to a few hundred servers, which are used for Internet services and the storage of customer data.
The boy, whose named was not released because he is a minor, is also suspected of breaching security of Tokohu University in Japan, as well as hacking computers at the Korea Advanced Institute of Science and Technology (KAIST) and at Trondheim University in Norway. Last but not least, he reportedly ran a website used for selling stolen credit card data. The teenager confessed to the KPN hack but has yet to say in regards to these other allegations. As part of the investigation, Dutch police collaborated with the Cyber Terror Response Center in South Korea and the Australian Federal Police.
The young man was arrested last week in Barendrecht, about 100 miles south of Amsterdam, and is being held in Rotterdam for two weeks. The Dutch Public Prosecution Service announced yesterday authorities seized an encrypted computer, two laptops, DVDs, external hard drives, and USB sticks. The teenager faces two years in prison; the maximum penalty is reduced due to his age (otherwise it would be six years).
The boy apparently bragged about his KPN hacking exploits, under aliases such as "xS", "Yoshioka" and "Yui", in a chat channel to students from KAIST, according to prosecutors cited by IT World. Cybercrime investigators have been following the boy's movements online for weeks.
KPN has acknowledged the arrest but declined to further comment on it, other than saying that it "must optimally protect its internet servers and IT systems" regardless of the boy's age and his motives. The organization said it has already taken steps to improve security:
The hack this January has directly led to KPN taking action to intensify security. Last week, KPN announced that it will appoint a Chief Cybersecurity Officer who will be given control of a special cybersecurity unit. KPN will furthermore deploy a permanent control centre to provide 24/7 monitoring of KPN's systems. KPN has replaced systems since the hack and is checking systems for possible weaknesses in an operation which will last some months. In February KPN furthermore announced accelerated investments in IT and internet systems.
KPN also noted the arrest is unrelated to a January hack which resulted in the company taking 2 million e-mail accounts offline as a precaution. Account details of KPN customers were leaked on Pastebin in early February, but it turned out the data in question wasn't stolen from KPN's servers.