The Netherlands is dealing with what looks like one of the largest data breaches in the nation so far. Late last week, Dutch public broadcaster NOS revealed that customer data of millions of car owners are available to cybercriminals. They were stolen from a Dutch company called RDC, that provides IT services to auto shops and car dealerships.

The stolen data includes home addresses, telephone numbers, birth dates, license plate numbers and car data of 7,3 million car owners.

Email addresses for 2,5 million car owners were listed. Some of the data is publicly available on the internet, the entire data set is offered on a popular hacker forum for 35.000 dollars. According to NOS, personal data of several well-known people are part of the data set, including that of a leader of a Dutch political party.

RDC has notified the Dutch authority for protection of personal data (Autoriteit Persoonsgegevens). The company is “shocked” about the stolen data and says it has no knowledge of a recent breach in their systems, suggesting cybercriminals have been holding on to the data for a while now.

Cybersecurity researcher John Fokker at McAfee tells reporters at NOS the data set is “super useful” for bad guys. “If they get their hands on this data, it just takes one click to see where expensive cars are probably parked. They can tell where people live and what car they drive.” Additionally, spear phishing becomes surprisingly easy for cybercriminals.

Research into the breach is ongoing. The Autoriteit Persoonsgegevens says there were 76 of these ‘mega data breaches’ (involving data of >100.000 people) in The Netherlands in 2020.