An attacker has stolen the personal data or over 9 million Austrian citizens: this is virtually the entire population of the country. The data was stolen from the GIS (the Austrian equivalent of TV Licensing in the UK) and the breach was discovered on 2020.
The GIS had apparently contracted a third-party IT company to develop its internal databases. The databases contained information on citizen locations to help it track anyone attempting to avoid paying for their license. An employee belonging to the company reportedly used the live GIS data during a test and left the test database online without securing it. The attacker stumbled across the data using conventional search techniques.
Moral: do not use live or real data in test and development systems, no matter how tempting it is. Construct proper sets of test data which can fully test the limits of your systems ability to deal with them, and without compromising your real data when they get breached.
The data is thought to have affected nearly all Austrian citizens, as it has a population of around 9.1 million. The information included names, dates of birth, and registration addresses, said the department head for the Austrian Cybercriminal Police Office.
The breach only came to light when the attacker attempted to sell the data, aggregated with data from other breaches, using an online forum, where it came to the attention of New Zealand law enforcement, who informed the Austrians. It is common in these kind of data breach incidents for the breach to go undiscovered for months or even years before the data has passed through many hands before emerging onto the open market.