The customer data of 1.5 to 1.8 million zoo and amusement park visitors has been leaked.
Due to human error, Ticketcounter placed a file with this information publicly online,
The file contains bank account numbers, names and date of birth of visitors to, among others, Diergaarde Blijdorp, de Apenheul and Duinrell.
Ticketcounter discovered last week that the data was sold via the dark web, an anonymous part of the internet that is not accessible with regular browsers.
The company has now taken the file in question offline and deleted it.
However, criminals have already made copies of this.
The criminals also try to blackmail Ticketcounter with the stolen data.
If the company pays 7 bitcoin, the criminals say they will delete the data.
7 bitcoin is worth around 280,000 euros at the time of writing.
Ticketcounter says it will not pay for this and has filed a declaration.
Affected customers placed an order through Ticketcounter between July 23, 2018 and August 4, 2020.
These are customers who bought a ticket for museums, Diergaarde Blijdorp, the Apenheul, Duinrell and events such as Keukenhof, VT Wonen Beurs and Schaatsbaan Rotterdam.
The file contains many important customer data, such as name, e-mail address, telephone number, address, date of birth and IBAN.
Passwords or credit card information have not been leaked.
Criminals can use the leaked data to send highly targeted phishing emails.
Customers are therefore advised to be vigilant about this.
The companies have notified affected customers of the leak.
A report has also been made to the Dutch Data Protection Authority, which is mandatory for such data leaks.
Users can enter their e-mail address on a Ticketcounter website and will then be informed by e-mail whether and what information is known to Ticketcounter.