Police said a hacker tried to sell the personal information of almost all Austrian citizens

In context: The results of successful international cooperation between law enforcement agencies fighting cybercrime were known for the second time this week. While a case not as severe as the collapse of Hive ransomware, the capture of a hacker who sold the personal data of millions of people provides another example of the fragility of digital privacy. It also shows the cost of human error by those who host our personal information.

On Wednesday, the Austrian police announced the arrest of a hacker in the Netherlands for selling personal information to almost every person living in Austria. The investigation required cooperation between the authorities of several countries for two years.

An unidentified 25-year-old Dutch suspect is said to have offered for sale online a dataset containing the names, addresses, genders and birthdates of nine million Austrians, nearly the entire population of the country. Reuters notes that police arrested the man in November but delayed an announcement pending an ongoing international investigation that began over the data breach in 2020.

The hacker did not obtain the data using malware. The Austrian newspaper Die Presse writes that it simply picked up on a mistake made by someone during a routine computer operation.

When the Gebühren Information Service (GIS), which manages Austrian broadcast costs, hired a Viennese contractor to restructure its data in 2020, one of the company’s employees mistakenly used the actual service’s information during ‘testing’. GIS reported the data theft in May 2020.

The hacker might have accessed it using a search engine, even if it wasn’t Google. As a result, the personal data of millions of Australian citizens became publicly available on the Internet for about a week. When someone called “Databox” on Raidforum.com offered to sell the registration information of millions of Austrians in New Zealand, New Zealand authorities bought it for a four-figure sum to confirm it came from a GIS breach. Compatibility of data generation method with GIS record keeping.

Police located the suspect after securing a server in Germany from which they allegedly downloaded GIS data. The New Zealand bitcoin transaction also directed authorities towards the hacker, who police suspected of cybercrime.

When Dutch police arrested the suspect in Amsterdam, they found 130,000 databases containing personal information on people in Thailand, China, the Netherlands, Colombia and the UK, including medical records.