The hacker collective Play is threatening to upload half a terabyte of sensitive data from Antwerp residents next Monday. On its dark website, Play claims it includes personal information, passports, ID cards and financial documents. “People shouldn’t underestimate the consequences of such a leak,” says ethical hacker Inti De Ceukelaire.
On the night of December 5 to 6, the city of Antwerp fell victim to a large-scale cyberattack. The Play collective hacked the servers of Digipolis, Antwerp’s IT partner which is integrated into many city services. If the city doesn’t pay a ransom by Dec. 19, hackers are threatening to upload the sensitive data.
Antwerp is not the only city targeted by hackers. Diest and Zwijndrecht have fallen prey to this and a cyber threat is also emerging in Hasselt. As an ethical hacker, Inti De Ceukelaire uses his Intigriti platform to find flaws in digital security systems in order to close them afterwards.
What can someone do with a stolen copy of your ID card?
Inti De Ceukelaire: A lot. Cars can be rented in your name or loans can be taken out. In some hospitals, you can request patient files filled with medical data with a copy of an identity card, which will then be sent to you by post. The same goes for many certificates via government websites. You can remove someone from the population registers of their municipality. Some investment platforms also allow you to consult or modify account numbers or personal data with a copy of your identity card. This way someone with bad intentions can get your money back. Thanks to GDPR (the General Data Protection Regulation which imposes rules on the processing of personal data within the European Union, ed.) you can submit a request to organizations and companies to consult or modify your personal data. For this, you often only need a copy of your identity card. People should not underestimate the consequences of such a leak.
With checkdoc.be, the government offers a way to check if a Belgian identity document is known to have been stolen, lost, expired, invalid or not issued, but the use of this site is not ingrained at all.
What can cities and municipalities do after a hack to protect potentially affected citizens?
The Ceukelaire: In the first place, information is the most important, but for this, citizens must know exactly what data it is. They often don’t know until the data actually leaks, and then the question remains whether the hackers leaked all the data. They can also keep some on hand.
In the United States, people whose credit card information and social security numbers are disclosed are protected against fraudulent transactions. It’s not common for us yet, but if personal data is leaked, I expect the victims to be covered against any harm.
What can you do as a citizen to prevent your data from leaking?
The Ceukelaire: Taking preventive measures is very difficult. As a citizen, you cannot choose the city or town where you leave your details. If they ask for your fingerprints, you can’t refuse that either.
If you are a potential victim, you should be alert to possible risks. But I also think – and this is a task for all of us – that we should hold politicians accountable for structural errors. I’m not advocating a society in which nothing can be hacked anymore – that’s not the case anymore. But we must demand transparency from government and exert sufficient pressure to put cybersecurity at the top of the agenda. If the government wants personal data or biometric data, we should oppose it quite strongly. And maybe we should adjust our voting behavior to ban politicians who don’t pay enough attention. There is still too little investment in cybersecurity unless something happens. This week the budget for this in Antwerp has suddenly increased sharply.
Can the city of Antwerp pay the requested ransom?
The Ceukelaire: No, because then the city is sponsoring a criminal organization. But this is a tricky dilemma. That’s why you should always do a cost-benefit analysis. How much will it cost the city to fix it themselves, versus how much will it cost the city to pay? Paying the ransom should be the very last option.
But whether Antwerp pays or not, the city must in any case consider the personal data as stolen. Just because you pay doesn’t mean the data isn’t disclosed. You cannot trust a criminal organization. You can’t ask them nicely not to run away.