Dutch Company RDC Confirms Security Breach
RDC Said It Was Unaware of the Attack That Affected 7.3 million Dutch Car Owners Prior to the Data Being Leaked Online.
Earlier today, RDC, a Dutch company that provides garage and maintenance services to Dutch car owners, confirmed a security breach after the personal and vehicle details of millions of Dutch car owners appeared for sale on a well-known cybercrime forum.
As reported by RDC NEWS, the data included names, addresses, email credentials, phone numbers, birth dates, vehicle registration numbers, car makes and models, as well as license plates. Dutch television station NOS confirmed the entire package is being sold for $35,000.
The attacker behind the forum ad claims to be in possession of no less than 60% of RDC’s 7.3 million entries database, 2.3 million of which also come with email addresses, allowing the buyers to launch phishing and spam operations against victims. RDC confirmed that no IP addresses have been leaked.
After we were told on Wednesday that vehicle and personal data were for sale on the internet that could possibly originate from RDC, we immediately started an investigation to find out what happened. We have now brought in Fox-IT, an expert in the field of computer and network security, to investigate with us how the data ended up outside our domain. We are also in contact with the police to report the crime.
According to cybersecurity specialists, the real danger doesn’t come from spam operators but from car-jacking gangs. The data is a stroke of luck for car thieves, who could use it to locate and target expensive cars across the Netherlands.
The company stated that they are not allowed to inform consumers about the security breach by law. RDC acts as a processor within the meaning of the law for the services it offers. Car companies call in RDC to carry out part of their process. A car company has agreements with its customers (the consumer) and therefore the car company is the controller within the meaning of the GDPR. For that reason, the company is not allowed to contact the end customers directly.
However, RDC assured they are doing everything they can to inform car companies as well and extensively as possible and support them in their communication to consumers.