Personal and passport data on 2.25 million Russians, including high ranking government officials, leaked
Sensitive data belonging to millions of Russians has been leaked online, according to a Russian security researcher has discovered.
The data belonging to 2.25 million Russian citizens was discovered online because of misconfigured websites.
And to make matters worse, it seems that the data includes highly sensitive passport data, including that of high ranking government officials, including the passport details and personal information of former Russian deputy prime ministers Anatoly Chubais and Arkady Dvorkovich.
The discovery of the data leak was made by Ivan Begtin, co-founder of Information Culture (a Russian NGO), who made a series of blog postings (in Russian) on the matter.
He also reportedly summarised all his findings in a Facebook post.
According to multiple media reports, it seems the data was leaked through a number of misconfigured government websites, including 23 websites which leaked citizens’ insurance account numbers and 14 websites that leaked the passport information.
ITPro reported that the websites responsible for the leak include arbitration courts and the Russian Ministry of Defence, and the websites of certification centres.
Begtin also reportedly notified Russian authorities several times, as long ago as October last year, but Roskomnadzor (Russia’s communications agency), “did not react”.
Begtin reportedly blamed errors in legislation, miscalculations by developers and shoddy work by data regulators for the leaks. He also apparently cited a lack of professionalism with the IT developers who built the sites, and those responsible for maintenance.
But it was the sensitive nature of the leaked data that was highlighted by security experts, which many regard as the holy grail of personal data.
“The fact that the personal identifiable information that was leaked in this incident belongs to government officials makes the response of their organisations and of the people involved even more crucial,” Paul Norris, senior systems engineer, EMEA, at Tripwire.
“There is obvious value in obtaining passport information, job titles, email addresses, place of work and tax identification numbers of government workers but these are also a goldmine for malicious actors intending to plan further attacks,” said Norris.
“It is paramount that the involved parties take all the necessary steps to mitigate the consequences of this incident, which include changing all their passwords, requesting a new passport and looking out for potential BEC and spear phishing emails that may come through their inbox,” he added.
“Instances such as this data leak should serve as a reminder that all organisations should take security weaknesses warnings very seriously and should continuously monitor their entire network and infrastructure for potential vulnerabilities, especially when their servers contain such sensitive data,” Norris concluded.
Another expert also picked up on the severity of the data breach.
“Any data breach of this magnitude is cause for concern, but some stand out in terms of severity more than others,” explained Corin Imai, senior security advisor at DomainTools.
“ The fact that passport data – one of the most coveted forms of PII – was lost in this breach in such a significant volume means this breach could be a hugely useful tool for cybercriminals hoping to carry out phishing campaigns or social engineering campaigns more broadly,” Imai warned.
“Another facet of this story which makes it so concerning is that this includes former government officials, who would have been (and possible still are) privy to incredibly sensitive information relating to domestic or international Russian affairs,” Imai added.
“For these individuals, a breach of their data not only constitutes the potential for personal damage, but could also represent an issue of national security,” he warned. “Those affected should be extremely cautious of any unusual email, SMS or phone communication in order to mitigate the damage of this breach.”
Last year security experts had warned that the compromise of passport data in the Air Canada data breach could pose a serious risk of identity fraud for those affected.
That breach involved Air Canada’s mobile app, which was integrated with its Aeroplan frequent flyer programme.
Do you know all about security? Try our quiz!