For weeks, the personal data of thousands of people was openly available on a data marketplace. It was only after we had alerted the Belgian company that they took the data offline. People from several countries were at high risk of data misuse and fraud.
A Belgian data marketplace has published the passport data of thousands of people on the internet. For months, lists with the names, dates of birth and passport numbers of the people concerned could be downloaded from the website of Databroker. Not hidden away in some corner of the dark web, but on a website where search engines could easily find the data. (The page can no longer be reached via the domain.)
Around 30 such lists were available for free download on the site until the beginning of July – months after netzpolitik.org had pointed out the problem to the company.
The data includes information on citizens of Germany, France, Belgium, the Netherlands, Hungary, Estonia and the UK. It also includes passport data of children. It’s unclear where the data comes from or who uploaded it to the platform. Databroker does not sell its own data, but acts as a trading platform – a marketplace where others can offer or buy data.
The data is apparently genuine. netzpolitik.org has tracked down several people whose names were found in the data, who confirmed that their information is correct.
A smorgasbord for fraudsters
The lists are free samples: a kind of preview of even larger data sets that providers use to show what they have to offer.
Offering potential customers such samples is widespread in the industry. However, they are usually protected by a password or only sent on request. It’s unusual for a seller to make the data publicly available on the internet – and dangerous for those affected.
Passports are among the most widely used forms of identification, making them a popular target for fraudsters. The passport number, in combination with the name, date of birth and expiry date of the passport – as in this case – opens up a range of possibilities for fraud.
Anyone who receives this smorgasbord of data can, for example, conclude contracts on the internet – or create fake passports with the real data. Phishing attacks also become more credible if fraudsters already know their victim’s name and date of birth – this way they can get hold of further data.
„The publication of this data can have far-reaching consequences for those affected“, warns Felix Mikolasch of the data protection organization noyb. „They could, for example, be wrongly affected by debt collection claims or criminal proceedings because someone has impersonated them.“ Especially on the internet, many contracts can be easily concluded with ID data.
Blockchain company operates data marketplace
Databroker is part of the blockchain company Settlemint, registered in Belgium. The two founders, CEO Matthew Van Niekerk and CTO Roderik van der Veer, are very active on LinkedIn. Van Niekerk publishes his own newsletter and a “Blockchain Podcast” called “Chief Digital Heroes”.
They founded Settlemint in Belgium in 2016. According to their own information, the company has offices in India, Singapore, Japan and Dubai in addition to its headquarters in Leuven. Its customers are said to include well-known companies such as Fujitsu and the supermarket chain Carrefour. Settlemint provides training and a platform that companies can use to build their own blockchain applications.
As part of the Horizon 2020 funding program, Settlemint received more than 1.8 million euros from the EU Commission: innovation funding to expand its business in other countries.
netzpolitik.org contacted Databroker and Settlemint in several ways to ask questions – without receiving a response. We also tried to reach the company at its location in Leuven, close to Brussels. There is a doorbell with the name of the company, but on ringing, nobody opens the door.
netzpolitik.org reported on the data leak back in April. At the time, we did not name the marketplace or the company because the lists of passport data were still on the internet – even after we had pointed it out several times. netzpolitik.org had initially only discovered one file containing passport data, mostly of German citizens. After further research we realized the problem was much bigger.
„Keeping control of your data“
Settlemint advertises the idea behind Databroker in a blog post: other data marketplaces either buy the data themselves or rely on the infrastructure of third parties, the company writes.
Databroker, on the other hand, is designed to function in a decentralized manner – and thus to be particularly secure and smooth. Sellers can offer data via the platform, and interested buyers can request it. Transfer and payment are to be handled in a decentralized and automated manner via a blockchain infrastructure. A kind of global classified ads portal for data, peer-to-peer, without intermediaries.
“Keeping control of your data,” Settlemint advertises its platform: providers can decide for themselves whether they want to share their data „publicly or privately“. But what if providers do not publish „their“ data at all, but rather data belonging to other people – presumably without their consent?
Sensitive passport data of Germans published online
Passport data of thousands of people
netzpolitik.org was able to download a total of 30 files with passport data from the marketplace website. They were stored in a subfolder for sample data sets that was openly accessible. Some of the files are Excel tables, some PDFs or Word documents.
A few of the files are named with a country code: HUN for lists with passport data mainly from Hungary or GBR for Great Britain. Sometimes there are 200, sometimes 500 names per list. In total, the data of thousands of people was openly available on the internet in this way.
netzpolitik.org was able to identify several people on the lists. They live in Bavaria or Lower Saxony, in Budapest or in the Hungarian countryside. Some confirmed that their data is genuine when we contacted them. In other cases, the names and dates of birth that we found online match the information on the lists.
All those contacted were surprised to find their data on the marketplace. „Data protection, you hear about it all the time,“ says one of them over the phone. „But when you see your own data openly on the internet, it’s a different feeling.“
A trail leading to airlines
There are indications that the ID data could have found its way onto the internet via airlines. Some of the file names refer to the Turkish airline Corendon, a holiday airline. Two of the people affected, with whom netzpolitik.org spoke, stated that they had flown with Corendon.
We found some of the lists not by searching in the browser, but via offer pages on Databroker. The seller was an account named “Wizzair airlines”. The offer: allegedly passenger data of passengers from Germany, France or Belgium. This page was deleted after our first inquiries.
Wizz Air is a Hungarian low-cost airline. When we asked whether the data came from actual airline passengers, Wizz Air did not respond. However, it is not unlikely that the data came from another source.
Data sellers on Databroker can give their accounts any name they like, including misleading names. All you need to register is a working e-mail address. File can also be named freely – for example, if someone wants to give the impression that they have obtained passenger data from a legitimate source.
Meta-data of a nocturnal seller
In the travel industry, data passes through many hands. Customers book through a travel agent or use portals to find cheap offers. In some cases, you are already asked to enter your passport details before proceeding to an airline for booking. At all these points, data could be leaked or passed on without authorization.
The metadata of the files could provide a clue to the seller: they show when a file was created and with what. the earliest lists are from August 2023, the most recent from the beginning of February. They were created with Microsoft Word or Excel on a Dell computer, and mostly late in the evening – at a time when most people in an office have long since gone home.
The data does not say whether the seller actually found buyers on the Belgian marketplace. If someone sells data on the platform, Settlemint also earns money from the transaction. According to its own information, the platform retains ten percent of the selling price as a fee.
Settlemint did not answer our questions about Databroker’s turnover and business model. Questions about whether and how it checks whether offers are legal and whether providers have the right to sell the data offered also remained unanswered.
How data brokers sell our location data and jeopardise national security
„Most likely illegally posted on the internet“
„The sale of such data sets is probably illegal,“ writes Elisabeth Niekrenz, a lawyer specializing in data protection at the law firm Spirit Legal.
In theory, it is conceivable that the provider would have obtained consent to sell the passport data. However, the hurdles for this are very high: such consent must be informed, voluntary and unambiguous. This means that people must understand what is to be done with their data and they must explicitly agree to it.
„A note in the small print is definitely not enough,“ says the lawyer. She doubts that those affected would consent to the sale of such sensitive data if they were informed of the details.
„It is hard to imagine that there is a legal basis for this,“ says Felix Mikolasch, a lawyer at the Austrian data protection organization noyb. He also believes it is highly likely that the data ended up on the internet illegally.
Entitled to compensation
Because ID data can be misused so easily, companies must not only notify the data protection authorities in the event of a data leak, but also the persons concerned themselves. This apparently did not happen. People contacted by netzpolitik.org say they only found out about the publication of their data through us.
Elisabeth Niekrenz points out that those affected are likely to be entitled to compensation and can take legal action. This applies to the unknown company where the data was originally stored. But also to the data marketplace that published the lists on its website.
Data from passports is considered personal data because it can be used to identify individuals. For the EU, the General Data Protection Regulation (GDPR) sets out the conditions under which such data may be stored and shared.
Possible consequences for data marketplace
It is not yet clear whether and how data marketplaces such as Databroker can be held responsible if illegal data is traded on their platforms. A recent investigation by netzpolitik.org and Bayerischer Rundfunk into the trade in location data of an estimated million Germans showed how easy it is to construct movement profiles from this data – including those of people in security-relevant areas. In this case, the contact to the data dealer was mediated by a marketplace based in Berlin.
The operator of the marketplace is unlikely to be held responsible under the GDPR. The company was only a broker in this case. And anyone who does not process data themselves cannot be held responsible under the GDPR – the Berlin data protection authority concluded.
In the case of the Belgian marketplace that published the passport data, however, the situation could be different. Databroker is apparently more than a broker: the lists with the passport data were publicly available on the internet – uploaded directly to Databroker’s website.
The Belgian data protection authority is now responsible for investigating whether Databroker has violated the GDPR by publishing the data. In April, the authority did not want to comment on the specific case, saying that it was not allowed to comment publicly on “ongoing or potential proceedings”. We received no response to our renewed request. (After our publication, the authority contacted us with the same statement as before.)
According to the GDPR, failure to comply with consent requirements can result in penalties of up to four percent of annual turnover or 20 million euros.
Die Arbeit von netzpolitik.org finanziert sich zu fast 100% aus den Spenden unserer Leser:innen.
Werde Teil dieser einzigartigen Community und unterstütze auch Du unseren gemeinwohlorientierten, werbe- und trackingfreien Journalismus jetzt mit einer Spende.