Sensitive data of 2.25 million Russians exposed online

Passport information of senior officials are publicly accessible after a researcher identifies leaky government sites

A computer with data overlaid onto the Russian flag

More than 2.25 million Russian citizens' personal details have been exposed online through misconfigured government websites, including the passport information of high-profile Russian government officials.

An examination of a swathe of government platforms has found 23 sites leaking citizens' insurance account numbers and 14 sites leaking passport information, according to Ivan Begtin, co-founder of NGO Information Culture.

The researcher disclosed his findings to Russian media in a set of three articles, with the latest released this week in RBC revealing around 360,000 records were exposed. The details exposed includes the passport details and personal information of former Russian deputy prime ministers Anatoly Chubais and Arkady Dvorkovich.

This is in addition to an article Begtin published last month revealing that 2.25 million records are publicly available from the websites of certification centres. In his findings, he outlined information for several exposed systems including those for arbitration courts and the Ministry of Defence, rating the criticality as 'high' for all.

Begtin summarised his wider findings in a Facebook post, adding that he notified Russian authorities several times as early as eight months ago. But the Roskomnadzor, Russia's communications agency, "did not react".

He blamed errors in legislation, miscalculations by developers and shoddy work by data regulators as the core reasons why such a vast amount of information has been exposed by these government sites.

Begtin also cited a lack of professionalism with the IT developers who have built the sites, and are responsible for their maintenance.

Russia has not adopted the EU's General Data Protection Regulation (GDPR), rather its data regulators lean on a set of several data protection laws dating back to the previous decade, such as the Russian Personal Data Law 152-FZ of 2006.

The Russian communications agency responded to Begtin's findings shortly after he released his post, suggesting the data may have been intentionally made public and that there are no violations of data protection laws.

"An analysis of the situation has shown that such publication of personal data falls under the legal grounds provided for by article 6 of the Federal Law 'On Personal Data'," a Roskomnadzor spokesperson said.

"In particular, there are cases when personal data are subject to publication or mandatory disclosure to an unlimited number of persons for the implementation and fulfilment of the functions, powers and duties assigned by the Russian legislation to the operator."

The agency claimed the information published on the Ministry of Justice's website did not contain passport data.

Begtin's research highlights the importance of digital transformation, particularly in large public sector organisations where systems can date back as far as 30 years. Robust systems and practices can, in particular, prevent data leakages where sensitive information is concerned.

In the UK, the government was warned earlier this year that it must focus on replacing legacy IT or face risks of hanging onto outdated systems.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google removes 17 apps infected with evasive ‘Joker’ malware
malware

Google removes 17 apps infected with evasive ‘Joker’ malware

28 Sep 2020