Cyber Incident Victim: Zwijndrecht Police Zone
Date:
Nov 2022
Location:
Belgium
Summary
A ransomware gang mistakenly breached a Belgian local police unit instead of the intended municipal target, exfiltrating extensive data including personnel details, crime reports, fines, child abuse imagery, and thousands of car license plates. The attackers exploited a vulnerable Citrix endpoint, accessing administrative networks containing sensitive operational information such as telecom metadata, SMS records of individuals under surveillance, and traffic camera footage. While authorities initially downplayed the incident as limited to administrative staff data, investigations revealed broader exposure compromising citizen privacy, ongoing investigations, and individuals' safety. The breach, attributed to human error in data handling and insufficient network protections, is considered Belgium's most significant law enforcement data leak, prompting criminal proceedings and concerns over lifelong identity theft risks for affected persons.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around November 25, 2022, the Ragnar Locker ransomware gang breached systems belonging to the Zwijndrecht local police unit in Antwerp, Belgium, after mistakenly targeting what they believed was the municipality of Zwijndrecht. The attackers exfiltrated and later published data spanning from 2006 to September 2022, which included thousands of car license plate records, fines, crime report files, personnel details, investigation reports, and internal administrative documents. The gang reportedly gained initial access by exploiting a poorly secured Citrix endpoint, compromising a network segment containing administrative data. Belgian journalist Kenneth Dée’s analysis of the leaked data confirmed it exposed sensitive law enforcement materials, including telecom subscriber metadata, SMS messages of individuals under covert police surveillance, and traffic camera footage revealing individuals' locations at specific times.
Zwijndrecht Police Chief Marc Snels publicly confirmed the incident via Facebook, attributing the breach to human error in data handling practices. Snels stated the compromised network primarily contained staff information such as personnel lists and event photos but acknowledged some sensitive operational data—including fines, official reports (PVs), and child abuse imagery—had been improperly stored there due to procedural failures. While the police emphasized the breach did not affect Belgium’s national police networks, Dée characterized it as the country’s largest and most impactful law enforcement data leak, compromising investigations and civilian safety. The local prosecutor initiated criminal proceedings focused on the hacking incident itself, though Belgium’s data protection authority had not yet announced an investigation at the time of reporting. Privacy advocate Matthias Dobbelaere-Welvaert warned affected individuals to replace identity documents and license plates due to irreversible risks, criticizing the police’s cybersecurity posture as inadequate for handling sensitive data. The police unit began notifying exposed individuals while facing scrutiny over the long-term operational and privacy repercussions of the breach.