Millions of Belgian residents fall victim to large-scale data leak

An investigation has discovered a massive data breach, affecting millions of Belgians as well as high-ranking European officials working in Belgium.

Location data stored on smartphones was stolen through mobile gaming and online shopping applications, according to an investigation published by daily newspaper L’Echo and other news outlets.

Contrary to the supposedly “anonymous” nature of the data collected, L’Echo was able to identify individuals to which the data belonged.

Above all, the newspaper could track the online actions of at least five people affiliated with the European Union, three of whom hold high-level positions.

“When using gaming or weather apps, certain information, like precise locations, is sent via a somewhat obscure system to data brokers, who then collect this information to resell it for marketing or advertising purposes,” said Nicolas Baudoux, data journalist at L’Echo.

However, if the information is not being held securely enough, critical institutions and businesses as well as individuals located in Belgium could be exposed to risk.

Meanwhile, NVISO, a Brussels security firm, recently discovered a large-scale cyber-espionage campaign that, at present, does not seem connected to the data breach found by L’Echo.

NVISO uncovered more that 1,500 servers connected to VShell, a malware based in China and used for infiltration of government agencies, healthcare providers, military institutions, and research organisations.

The malware enables hackers to remotely access the networks of each compromised server, allowing observation of computer activity and the ability to download or upload files.

Although the two incidents are not currently being treated as connected, they point to larger insecurities in cybersecurity and online safety.

While the General Data Protection Regulation (GDPR) requires applications to only use essential data in Europe, some nevertheless transgress their official terms and conditions.

Aurélie Waeterinckx, spokesperson for the Data Protection Authority, advised caution: “If a weather app asks for your location, that seems logical. However, if it asks for access to your contact list, that is not. Similarly, if a gaming app asks you for your location when there is no reason that justifies it, it would be better to be wary.”