If you’re a cybersecurity enthusiast, then you must have heard of the recent case of Erkan S., a data trader (known as Databox) who was sentenced to prison for stealing and dealing in the personal data of millions of people.
A Massive Data Heist
Erkan S., hailing from Almere in the Netherlands, was handed a three-year prison sentence, with one year being conditional, for dealing in stolen databases packed with personal information.
These databases contained data from various sources including the details of many Dutch sport climbers, medical data of 4.4 million Colombians, and the bank details of 9 million Austrians, among others.
The court in Amsterdam stressed that these data are precisely the type that should never be made public. Users should be able to trust in the confidentiality of the personal information they provide online. In his actions, Erkan S. has made a significant violation of this trust.
The Consequences of Data Trading
Databases like the ones Erkan offered for sale on internet forums are used by criminals to commit fraud. They might, for example, send emails with links attempting to trick the recipient into revealing their password. Or they might send messages or make calls that appear to be from a family member or a bank, respectively, but are actually from criminals seeking money.
The Public Prosecutor’s office views the sale of these datasets as the onset of crime with ‘unprecedentedly high damage’. The buyers of these datasets, who are criminals themselves, use them to find victims. For instance, they could combine data to target vulnerable individuals, like women born in the 1940s, who are now in their seventies and eighties, and approach them with confidence tricks.
The Double Life of a Data Engineer
Erkan, 25, worked as a data engineer at a real estate company in Amsterdam during the day. In his free time, he dealt in stolen databases, which are offered and resold on the internet by hackers. He likened his collection of these databases to collecting Pokémon cards.
Erkan was also involved in phishing. Police found a phishing email and hundreds of recovery codes for online wallets used to store cryptocurrencies on his computer. The court also convicted him for stealing €300,000 in cryptocurrencies; the victims of this theft are unknown.
An Even Bigger Case
Erkan is also a suspect in an even bigger case yet to be presented in court. Along with three other Dutch individuals – two in their twenties and one teenager – he is accused of breaking into the computer systems of companies, stealing data, and then extorting the companies, including the Dutch company, Ticketcounter. One company paid 700,000 euros (in bitcoins) to recover their data.
The police previously stated that they had never encountered such large-scale data trading in the Netherlands, involving data ranging from phone numbers and account numbers to vehicle registrations and passport details. It is possible that data from every Dutch citizen has passed through the PCs of these four individuals at some point.
Done reading? Continue with Cyberattack Defense 101: Essential Tips for Everyone.
