RDC, a Dutch company that provides garage and maintenance services to Dutch car owners, has confirmed a data breach earlier today after the personal and vehicle details of millions of Dutch car owners were posted for sale on a well-known cybercrime forum.
According to samples reviewed by The Record today, the data includes details that could be used to identify car owners, their homes, and the type of car they drive.
This includes details such as (company/individual) names, home addresses, email addresses, telephone numbers, dates of birth, but also vehicle registration numbers, car makes & models, and license plates.
Dutch television station NOS, which confirmed the data’s authenticity with local sources and engaged with the seller, said the entire package is being sold for $35,000.
The threat actor behind the forum ad claims to be in possession of an RDC database with 7.3 million entries; 2.3 million of which also come with email addresses, allowing the buyers to launch phishing and spam operations against victims.
However, security experts warn that the biggest danger isn’t from spam operators but from car-jacking gangs. The data is a boon for car thieves, which could use it to locate and target expensive cars across the Netherlands.
In a statement posted on its website today, RDC confirmed the incident and said that based on a summary investigation the intruders appear to have gained access to around 60% of its customer entries.
RDC said it was unaware of the hack prior to the data being posted online. The Dutch company also said it already notified authorities of the breach and hired security firm Fox-IT to investigate the security incident.