300k Belgian records exposed

A criminal seller using the name “kuna” is advertising a database that allegedly contains personal and financial records for about 300,000 people in Belgium. (x.com) The listing says the files include names, Belgian national registration numbers, International Bank Account Numbers, payroll details, and family information, and that buyers can purchase the data in batches of 1,000 records. A separate breach report published April 12, 2026, described the same cache as containing salary data, disability status, and marriage details. (x.com) (tornews.com) In Belgium, the national registration number is an 11-digit identifier tied to a person’s government record, and it appears on Belgian identity documents. The federal help center says every citizen with a Belgian identity or residence document has one. (bosa.belgium.be) An International Bank Account Number, or IBAN, is the bank account code used across Europe for transfers. Belgian banking groups and regulators have repeatedly warned that account details and identity data are the raw material for phishing, impersonation, and payment fraud. (wise.com) (febelfin.be) (nbb.be) Payroll and social-security systems are especially sensitive because they combine identity data with salary and payment instructions in one place. Belgium’s National Social Security Office operates one of the country’s core social-security systems, and payroll security firms have described salary-payment workflows as a growing fraud target. (nsso.be) (isabel.eu) European banks only recently added a broader name-check step for transfers, called Verification of Payee, to help catch cases where an account name and IBAN do not match. The European Payments Council said its rulebook entered into force on October 5, 2025, and the European Central Bank said euro-area payment providers had to offer the check from October 9, 2025. (europeanpaymentscouncil.eu) (ecb.europa.eu) That control does not solve the bigger problem if criminals already hold a full identity profile. Belgium’s Federal Public Service Finance, the Financial Services and Markets Authority, and the National Bank of Belgium all warn that fraudsters use official branding and personal details to make messages look legitimate. (finance.belgium.be) (fsma.be) (nbb.be) Belgium’s data-protection regime requires organizations to notify the national authority through a dedicated breach portal when personal-data incidents occur. The Belgian Data Protection Authority’s portal went live on June 10, 2025, and the authority says breach notifications must be filed through that system, not by email. (cms.law) (autoriteprotectiondonnees.be) No Belgian public agency had been identified in the material reviewed for this thread, and the original seller’s claims remain allegations unless a victim organization confirms the source and scope. But the combination of government identifiers, bank coordinates, and payroll data is exactly the mix that fraud warnings in Belgium have spent the past year describing. (x.com) (finance.belgium.be)