The Ragnar Locker ransomware gang released stolen data from what they thought was the municipality of Zwijndrecht, but it turned out to have been stolen from Zwijndrecht police, a local police unit in Antwerp, in Belgium.
The leaked data allegedly revealed thousands of car license plates, fines, records of offense reports, personnel details, investigation reports and more.
This type of data has the potential to expose individuals who have reported crimes or abuses and could compromise ongoing law enforcement operations and investigations.
Belgian media are calling the data leak one of the largest of its kind to impact a public service in the country, exposing all data kept by Zwijndrecht police from 2006 to September 2022.
Police confirm attack
Zwijndrecht police responded to local media coverage via a Facebook post, downplaying the impact of the incident and saying the hackers only accessed part of the network where the police held administrative data.
Police say threat actors could only access data on the administrative network, thus primarily affecting personnel.
Zwijndrecht Police Chief Marc Snels told the VRT news network that the data leak was the result of human error, and they are now contacting everyone exposed to inform them of the incident.
“It is not true that all data has been leaked. This network mainly contains personal information of our staff, such as staff lists and photos of staff parties,” Snels commented to local media.
Impact wider than expected
Although this incident did not impact the national police network in Belgium, the breach in Zwijndrecht’s local network is still important for thousands of people.
Dée’s investigation of the data revealed metadata from telecom subscribers and text messages from people under covert police investigation.
Additionally, the leaked files contain traffic camera footage, exposing the whereabouts of individuals at specific dates and times.
“This is the biggest police leak in Belgian history and probably the most impactful leak we have ever seen in our country,” Dée told Bleeping Computer.
“This should be a wake-up call for local police and the way they handle citizen data, and hopefully this will set things in motion towards change on that front.”
The country’s data protection office has yet to announce an investigation into the matter, but the prosecutor opened criminal proceedings that focus on the hacking incident itself.
Belgian lawyer and privacy activist Matthias Dobbelaere-Welvaert told BleepingComputer that those exposed should change everything they can, including license plates, ID cards, passports, etc.
“You can’t easily change your place of residence, but even if you change all the documents, the repercussions of this security incident could last a lifetime, and identity theft is no joke,” says Dobbelaere -Welvaert.
“It is my opinion that until all systems in the police network are properly protected, no smart cameras should be allowed to turn on.”