Belgium banking data breach

A dataset advertised by the threat actor “kuna” appears to expose the personal and banking records of about 300,000 people in Belgium. (tornews.com) Researchers who reviewed the sale post said the records include International Bank Account Numbers, Belgian social-security identification numbers, salary data, disability status, and family details such as marriage information. One earlier breach alert described a similar Belgium dataset as covering records from 2017 to 2024 and claimed more than 500,000 entries, suggesting the exact count is still unverified. (tornews.com) (brinztech.com) No Belgian bank, social-security agency, or regulator had publicly claimed responsibility in the material reviewed, and observers cited in the reporting said the mix of payroll, family, and banking fields points to either a bank-linked system or a social-security database. Belgium’s social-security portals and National Social Security Office both handle citizen and employment records, including the national social-security identifier known as the NISS. (tornews.com) (mysocialsecurity.be) (nsso.be) (socialsecurity.be) In Belgium, the NISS is the unique number used to identify people in the social-security system, and official guidance says it corresponds to the national register number for people listed there. That makes a leak combining NISS numbers with bank account identifiers more useful for identity fraud and highly tailored phishing. (socialsecurity.be) (workinginbelgium.be) The banking detail in the reported leak is the International Bank Account Number, or IBAN, which is the standardized account identifier used for euro payments across the Single Euro Payments Area. European Union guidance says IBANs are used for transfers, bill payments, tax refunds, and benefit payments across member states. (europa.eu) (europeanpaymentscouncil.eu) That does not mean an International Bank Account Number alone lets a criminal empty an account, but it can help with fraudulent direct-debit attempts and convincing impersonation scams when paired with names, salaries, and government identifiers. Under Single Euro Payments Area rules, consumers can seek refunds for unauthorized direct debits for up to 13 months after the debit date. (brinztech.com) (webapp.sebgroup.com) Belgium’s data-protection regime requires organizations to report personal-data breaches to the relevant authority quickly. European Data Protection Board guidance says breaches that present a risk to people must be reported under Article 33 of the General Data Protection Regulation, and Belgian legal updates say the first part of a notification generally must be filed within 72 hours. (edpb.europa.eu) (lexology.com) (cms.law) Belgium has spent the past year warning that data theft and social engineering remain central cyber risks. The Centre for Cybersecurity Belgium said in its 2025 key figures that it handled a sustained operational workload, and its 2025 threat-landscape report said data theft and account compromise remained among the country’s top cyber threats. (ccb.belgium.be 1) (ccb.belgium.be 2) If the leak is confirmed by Belgian authorities, the next steps are routine but urgent: identify the source system, notify regulators and affected people, and watch for fraud built on real payroll and identity data. Until then, the clearest fact is that a criminal seller is marketing a large Belgium dataset with enough detail to make impersonation far easier. (edpb.europa.eu) (tornews.com)