The personal information and passport details of more than 2 million Russian citizens, including government employees and members of the country’s political elite, have been exposed through multiple government websites, reported several website security audit firms.
Informational Culture activists, a Russian non-profit organization, were responsible for revealing this serious cybersecurity incident. Through the official Information Culture platform, a report was published detailing a research in the Russian government’s online certification centers, fifty government portals and in a cyber bid platform used by government agencies.
In total, they found leaks in 23 different sites, exposing information such as individual insurance accounts (equivalent to the U.S. Social Security number) and details about the citizens’ passports. It is estimated that around 2.2 million Russian citizens have been impacted by this incident; according to the website security audit specialists, the information was available to almost any user with the necessary knowledge. Among other leaked data can be found details such as:
- Full name
- Email address
- Tax information
Although some of these data are not so easy to find, because they require the extraction of metadata from digital signature files, most of the exposed information can be found looking for open directories in Google.
NGO activists say that more than eight months ago they reported on the incident to Roskomnadzor, the Russian agency dedicated to personal data protection. In addition, according to website security audit specialists, the Russian agency was repeatedly notified, although the only response the activists obtained was that the exposure of such information was completely legal.
After months of trying to get the incident treated properly, activists decided to disclose their findings to the public, reported experts from the International Institute of Cyber Security (IICS).
The most probable explanations for this incident are the lack of preparation of the Russian government’s IT teams, inadequate data protection policies and scarce internal monitoring solutions for staff.