According to the Antwerp city council, the data stolen by hackers has not caused any serious harm to citizens. It would mainly concern administrative data. Experts have their doubts with that explanation.
“From what experts have been able to determine to date, there are currently no indications that personal data has been stolen that could seriously harm private individuals.” That is what Antwerp mayor Bart De Wever (N-VA) said at a press conference on Monday morning about the attack by hacker collective Play.
Monday was therefore Deadline Day, the day on which the city had to pay a ransom in exchange for the data that the hacker collective had captured about two weeks ago. De Wever reaffirmed what he had already stated: that the city did not pay any ransom and did not negotiate with the hacker collective. The city itself had no explanation why Antwerp is no longer listed on the Play website.
It is a story that Pieterjan Van Leemputten, IT journalist at Data Newsbut hard to believe. “I would find that very strange,” he says. “If everything the city says is correct, we are witnessing a Christmas miracle. So what do I think happened? That’s pure speculation. Perhaps another party or company has paid on behalf of the city and will this be reimbursed afterwards? I do not know.”
Follow crumbs
The city did, however, provide additional explanations about what had happened. Play’s open assault on city services began on Dec. 6. “We found out through forensic investigation that the hackers had been in the city’s systems since November 24,” says Youri Segers, Chief Digital Officer and CEO of Digipolis. Segers could not or would not say how Play gained access to the city’s systems.
When the attack came to light, the city quickly went into a digital lockdown. As a result, many city services were unavailable for a while. This is still the case for some services. There is a good reason for this slow restart: the city does not want to restart systems until it is sure that the risk of a new attack is not too great. It may take until the end of January before all services are running again. In the meantime, the city is also building a new digital infrastructure with better security.
Almost immediately after the attack, Antwerp itself also went in search of which data the hackers managed to steal. To do this, she followed the traces left by Play and checked the most sensitive data herself. “If we put together all the crumbs we found, we end up with a package of data that is about the size of what the criminals themselves on the dark web claim to have captured,” says Bart Bruelemans, Chief Resilience Officer.
As far as Antwerp can determine, it is mainly administrative data that the hackers were able to access. This concerns personnel data, e-mails, construction plans, insurance files or accounting data. Although the city is taking a serious hit. “These groups specialize in staying under the radar,” says Segers.
“How well can they trace exactly what has been stolen? That is and remains the question,” says professor of computer security Bart Preneel (KU Leuven). “If hackers erased traces, the city doesn’t know. That is why the wording of the city is so careful. She cannot now say with absolute certainty what information was leaked. A message of ‘we can sleep soundly’ would not be appropriate here.”
Sensitive information
On the other hand, according to Preneel, it is possible that the hackers are not specifically looking for sensitive information, but simply try to get hold of as much as possible. “Those hackers are not Flemish people,” he says. “Maybe they don’t know what to look for. For example, it could be that they have hit systems that are less sensitive. Although personnel data or building applications may also contain sensitive information.”
That is what disturbs computer scientist Jeroen Baert about the communication of the city of Antwerp. “It seems as if Antwerp is making an error in estimating how much trouble even secondary data such as an email address, name or time of meeting can cause for phishing. Now suppose a hacker knows when we have agreed. If that hacker sends you an email in my name asking if you can ‘check this document after our meeting last week’, you quickly assume that only the real Jeroen Baert can know that there was an agreement through which you open that document. It may be that this is all part of a communication strategy to say as little as possible, but the fact that the possibility that a lot of sensitive data has been leaked is not taken into account, does not inspire confidence in me.”
Perhaps the city of Antwerp does not show the back of its tongue. Although all experts are only too aware of why that is the case. “I would understand that,” says Van Leemputten. “As a journalist I would rather see all the information on the table. But when it comes to ransomware, I know companies and governments can’t share everything. You do not want to give criminals the signal that you are open to paying a ransom, for example.”
The city of Antwerp would also indirectly contribute to other attacks on other targets. That risk cannot be underestimated. The city’s investigation showed that other cities such as Leuven, Hasselt and Genk may also be at risk. The Flemish Association of Cities and Municipalities (VVSG) confirmed to press agency Belga that they were taking measures.
