Dutch hacker steals data from virtually entire population of Austria

The Austrian parliament building in Vienna
(Image credit: Getty Images)

A Dutch hacker has been arrested after reportedly stealing data belonging to 9 million Austrian citizens through a misconfigured cloud database.

The attack was initially discovered in May 2020 and concerned the Fees Info Service (GIS) - the organisation responsible for collecting TV and radio licence fees in the country.

It revealed at the time that it had suffered a data breach, with data previously stored by the GIS, belonging to Austrians, was discovered on a dark net marketplace.

The hacker, whose identity has yet to be revealed, was arrested in the Netherlands in November 2022, Austria's Federal Criminal Police Office (Bundeskriminalamt/BK) revealed on 25 January, as reported by Die Presse.

The BK said the GIS had hired an unnamed IT company based in Vienna to restructure its internal databases. The databases contained information on citizen locations to help it track anyone attempting to avoid paying a broadcast fee.

An employee belonging to the company reportedly used the GIS data during a test and left a database online without securing it. Investigators said the hacker found the data through a search engine 'that wasn't Google'.

The data is thought to have affected nearly all Austrian citizens, as it has a population of around 9.1 million. The information included names, dates of birth, and registration addresses, said Klaus Mits, department head for the Cybercriminal Police Office in the BK.

The police were alerted by New Zealand authorities that an individual was trying to sell the data on notorious online hacker haven RaidForums using the name “DataBox”. Investigators then secretly bought the data for an amount of money they said was in four digits.

The culprit’s identity was then confirmed after a German server used by the hacker to store the downloaded data was seized and analysed. Investigators also found that the money for the data was exchanged in a cryptocurrency which the police said was easy to recognise.

Austrian police then contacted the Dutch authorities, and together they determined that the hacker had downloaded other information, in addition to the 9 million Austrian records, taken from around 130,000 databases.

The data wasn’t only from Austria - it included records on individuals from the Netherlands, the UK, China, Colombia, and Thailand. The hacker was also selling health data belonging to patients located in these other countries.

"The rapidly growing cyber crime will continue to be fought with all vehemence and new methods in the future," said Gerhard Karner, interior minister at the Austrian government.

"This case shows how important and necessary investigations in cyber space are. Our investigators have the know-how and no perpetrator should be sure of being able to disappear into the anonymity of the internet.”

IT Pro has contacted NCSC for comment on the UK data involved.

What does this mean for Austrian citizens?

“This could happen to any other nation. They all depend on third parties, they all have insiders that may be unhappy, and they all have access to such data elements,” Andreas Wuchner, a former global CISO and current cyber security advisor, said to IT Pro.

“Similarly, they are all facing shortages of resources and budgets alongside a rapid shift to the cloud and self-service functionalities. It’s a perfect storm, so this breach shouldn’t really be a surprise to anyone.

“That’s not to minimise the concern that citizens in Austria and across Europe should be facing. This registration data could make it very easy to impersonate someone, register for digital services and so on,” he added.


Cost of a data breach report 2022

Discover the factors to help mitigate breach costs


“Paired with some criminal energy and knowledge of how to obtain letters being sent before they reach someone’s letterbox, it opens up lots of seriously concerning opportunities for malicious actors to use the data to make money, buy goods, or access sensitive information - like digital health records - that could open individuals up to blackmail.”

Rebecca Harper, head of cyber security analysis at ISMS.online, said that citizens should be aware that there is an increase in the risk around identity theft, fraud, and financial losses for individuals.

"It also raises concerns about government and private organisations' security and protection of personal information," said Harper. "Citizens must be vigilant and monitor their financial accounts and credit reports to detect suspicious activity.”

“This incident does highlight the vulnerability of personal data in the hands of government agencies and the potential for it to be accessed and misused by hackers, which is a meaningful conversation to have ongoing," Harper said.

"It's vital for governments to have robust cyber security measures in place to protect citizens' personal information and to ensure that any breaches are quickly identified and addressed.”

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.