On Friday, 22 January, the Dutch police, and the Public Prosecution Service received warnings from the GGD that personal details from GGD applications are being made available for sale on Telegram. The Central Netherlands Police Cyber Crime Unit soon launched an investigation. This probe led the team to two GGD call center workers. Consequently, both were hunted down by the police. The offenders were both in Amsterdam on Saturday night, where they were detained and taken to jail. This involves a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam. Men's homes have been searched and their computers have been confiscated. “Stealing and selling or reselling personal data is a serious crime," the Dutch police stated.
The two are among a wider number of individuals believed to have access to classified information and to have it sold to third parties, and further arrests have not been ruled out, police said in a statement. The selling of personal information through health board networks has been investigated by Broadcaster RTL, and it was disclosed to the association of GGD Health Board earlier this month. RTL states that the offer is not just for names, addresses, and mobile and confidential BSN numbers but much more.
The arrests followed an investigation by RTL broadcaster, which uncovered online advertisements for Dutch citizen info, marketed on instant messaging apps such as Telegram, Snapchat, and Wickr. The advertising consisted of images of computer screens containing the details of one or more Dutch people. The broadcaster claimed that they had monitored the screengrabs of two IT systems used by the Dutch Municipal Health Service (GGD), namely CoronIT, which includes specifications of Dutch people taking the COVID-19 exam, and HPzone Light, one of the DDG's contact-tracing systems.
“Some accounts are offering to look for information about a specific person,” RTL said. “That costs between €30 and €50 and will get you someone’s name, email address, phone number, and BSN number.” Other accounts provide wider data sets containing thousands of names or unique characteristics, such as individuals living in Amsterdam or over 50s.
According to a broadcaster, the two perpetrators operated in DDG contact centers, where they had access to COVID-19 official Dutch government networks and databases. The identities of the two defendants, which were expected to appear before the court on 26th January, have not been released: in compliance with Dutch law.
"Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home," Victor Gevers, Chair of the Dutch Institute for Vulnerability Disclosure stated in an interview.