For months, the passport data of thousands of people was accessible on the internet. Lists containing names, dates of birth, and passport numbers were freely available for download to anyone who visited the website of the Belgian data marketplace „Databroker“. netzpolitik.org uncovered the data leak last July. The Belgian data protection authority is responsible for the case, but declined to comment publicly. The agency is not allowed to talk about ongoing or potential investigations.
Around 30 lists containing passport data were available for download on the site. An anonymous seller had uploaded them to the marketplace as a free preview of even larger data sets. The data appears to be authentic, last year netzpolitik.org was able to identify several affected individuals in Germany and Hungary.
Preview samples are common in the industry, but are usually only shared upon request. On databroker.global however, samples were available online – without even basic password protection. Trading in such data likely constitutes a violation of EU data protection rules (GDPR).
For those affected, the exposure of their passport details poses a serious risk. Fraudsters could exploit such data to sign contracts or create counterfeit passports online.
An email delayed by several months
The Belgian start-up SettleMint, which specializes in blockchain technology, is behind „Databroker“. The founders, Matthew Van Niekerk and Roderik van der Veer, present themselves as blockchain experts, promoting their company on LinkedIn and YouTube.
SettleMint’s core product is a system that allows other companies to program applications on the blockchain. The company claims that its modular system would enable others to achieve their goals faster. Customers are said to include a Japanese tech company and several banks.
In 2022, SettleMint was able to raise several million euros in venture capital. The EU also provided millions in funding for the start-up.
Last year, netzpolitik.org reported on the leaked passport data on „Databroker“ – initially without mentioning the platform’s name because the data was still accessible. As part of our reporting, we sent a list of questions to the company via multiple channels – including by post to its address in Leuven, Belgium. At the time, we received no response.
In July, the marketplace disappeared from the internet – just days after we contacted the company and shortly before our report was published. The site was no longer accessible via its domain and remains so to this day.
In November 2024, someone finally reached out to us via email. The sender stated that SettleMint had recently hired them as a data protection officer and that they had received our inquiries.
On behalf of SettleMint, this person answered only one of our many questions: why „Databroker“ had gone offline just before our report was published. According to them, „Databroker“ was sold to another company in the second quarter of 2024, which is why the site is now offline. We were unable to verify this claim.
Belgian data marketplace publishes passport data of thousands of people
Story of a failed idea
„Databroker“ was apparently another business venture of the two SettleMint founders, in addition to their blockchain construction kit. The platform was intended to be a „peer-to-peer marketplace“, enabling companies and public authorities to buy and sell data from networked devices – so-called IoT data. This type of data is generated wherever connected devices with sensors are used, such as in traffic, manufacturing, and agriculture.
Providers were expected to market access to this data in a decentralized manner using the Ethereum blockchain. SettleMint outlined this vision 2017 in a whitepaper. However, we were unable to verify whether any data has ever been traded on the platform. SettleMint did not respond to our inquiries. Archived versions of the website do show listings for such data, including traffic or air quality data.
To launch the project, SettleMint created two crypto tokens in 2017 and 2018: Databroker DAO and, a few months later, Databroker DTX. This approach was not uncommon around that time, says Thomas Gloe from the IT forensics company dence. Companies sold tokens to investors as part of an initial coin offering (ICO). „This made it easy to raise large amounts of venture capital,“ Gloe explains. At the beginning, there were no clear legal requirements for ICOs, he says, making it a quick funding method for companies.
According to SettleMind’s blog, the company sold tokens to investors in two rounds in 2017 and 2018. Investors paid in cryptocurrencies such as Ether or Bitcoin.
The minimum amount that ended up in SettleMint’s wallets can be tracked through the sales contracts mapped on the Ethereum blockchain, says Thomas Gloe. At least partially. According to the contracts, SettleMind received approximately 2,300 ETH in the two ICO rounds. At the time, that was worth around 1.05 million US dollars. In addition, further purchases were made using other payment methods, but these transactions could not be fully traced through the smart contract system.
SettleMint did not respond to questions regarding the total amount raised.
“Everyone lost money”
The project got off to a slow start after the funding rounds. Initially, SettleMint apparently actively developed the marketplace „Databroker“: building the platform, presenting it at trade fairs and recruiting customers. „Just two more weeks, and everybody will be able to start trading sensor data,“ a 2019 blog post promised.
By late 2022, public communication about the project had ceased. In a Telegram group SettleMint had created for the „community,“ investors accuse the company and its founders of a lack of progress, transparency and insufficient investment in “Databroker.” When asked about these allegations, SettleMint did not respond.
„We made a product, it is not working,“ an account named „DTX Community databroker“ posted in the Telegram group in the summer of 2023. „Everyone lost money. Chapter closed.“
Group members also point out problems with „Databroker“, such as the fact that, in addition to reputable providers, offers for personal data were also available. They urged the company to „manage“ the platform. An account claiming to be a project manager replied: „We do it time to time. We do not control what people publish.“
Whether this account genuinely belonged to a SettleMint project manager is something we cannot verify. When asked how the company monitored the offers on „Databroker“, SettleMint did not respond.
With EU funding to Las Vegas
Despite these issues, SettleMint continues to receive EU funding. Between 2019 and 2021, the company received more than 1.8 million Euro from the European Commission’s Horizon 2020 funding program in order to expand its business internationally.
Earlier this year, SettleMint was invited to CES, the world’s largest technology trade show in Las Vegas. The company was part of a delegation of 15 selected start-ups showcased in the European Pavilion. This was made possible by the European Innovation Council, an EU funding agency that supports small and medium-sized businesses. SettleMint is currently participating in another program of the funding agency designed to support selected companies in scaling up.
According to the funding regulations, the European Commission could demand the partial repayment of the funding if a company is found to violate data protection laws. However, this would only apply if the violation was directly linked to the funding agreement and the funded project.
The European Commission declined to comment on the total amount of EU funding SettleMint has received or on the potential consequences if the Belgian data protection authority should find a violation.
0 Ergänzungen