The personal information and passport details of more than 2 million Russian citizens, including government employees and members of the country’s political elite, have been exposed through multiple government websites, reported several website security audit firms.
Informational Culture activists, a Russian
non-profit organization, were responsible for revealing this serious cybersecurity
incident. Through the official Information Culture platform, a report was
published detailing a research in the Russian
government’s online certification centers, fifty government portals and in a cyber
bid platform used by government agencies.
In total, they found leaks in 23 different
sites, exposing information such as individual insurance accounts (equivalent
to the U.S. Social Security number) and details about the citizens’ passports.
It is estimated that around 2.2 million Russian citizens have been impacted by
this incident; according to the website security audit specialists, the
information was available to almost any user with the necessary knowledge. Among
other leaked data can be found details such as:
- Full
name - Occupation
- Workplace
- Email
address - Tax
information
Although some of these data are not so easy to
find, because they require the extraction of metadata from digital signature
files, most of the exposed information can be found looking for open
directories in Google.
NGO activists say that more than eight months
ago they reported on the incident to Roskomnadzor, the Russian agency dedicated
to personal data protection. In addition, according to website security audit
specialists, the Russian agency was repeatedly notified, although the only
response the activists obtained was that the exposure of such information was
completely legal.
After months of trying to get the incident
treated properly, activists decided to disclose their findings to the public,
reported experts from the International Institute of Cyber Security (IICS).
The most probable explanations for this
incident are the lack of preparation of the Russian government’s IT teams,
inadequate data protection policies and scarce internal monitoring solutions
for staff.
