A notorious ransomware group has begun leaking highly sensitive data it stole from Belgian police, in what is being described as one of the biggest breaches of its kind in the country.
RagnarLocker has been connected to the incident, which hit the Zwijndrecht police force in the city of Antwerp.
“Police Zwijndrecht had to deal with a serious case of hacking earlier this year. The internet criminals were able to gain access to the administrative network,” read a post on the force’s Facebook page (via Google Translate).
“The police zone personnel, which is most impacted, has been informed. Due to the secrecy of the investigation, we limit ourselves to this information.”
However, while administrative staff are most impacted by the incident, they’re certainly not the only ones.
Chief Commissioner of Police Zwijndrecht, Marc Snels, admitted to local news site VRT that “it is indeed also the case that some sensitive information was on that network,” even though it is meant to reside on a separate network.
“This is a case of human error, and this is how crime reports and fine notices, but also photographs of child abuse have been leaked,” he continued. “This is of course particularly regrettable.”
The report suggested that records dating back to 2006 were accessed by the hackers.
It’s unclear how many citizens are affected by the breach, but they include victims, perpetrators, witnesses and those under surveillance – with potentially far-reaching consequences if their identities are uncovered.
According to the report, Snels has “no idea” how the ransomware actors breached the force’s IT systems, although steps were taken to contain the incident as soon as it was discovered.
A potentially bigger concern for him now will be the regulatory scrutiny that will no doubt follow, presumably focusing on how the network was breached and why sensitive crime data was allowed to be stored on it.
The scope of the GDPR also extends to cover employees, so any officers or police staff also exposed in the incident will be taken into consideration by the local privacy watchdog.