Sensitive data of 2.25 million Russians exposed online

Passport information of senior officials are publicly accessible after a researcher identifies leaky government sites

A computer with data overlaid onto the Russian flag

More than 2.25 million Russian citizens' personal details have been exposed online through misconfigured government websites, including the passport information of high-profile Russian government officials.

An examination of a swathe of government platforms has found 23 sites leaking citizens' insurance account numbers and 14 sites leaking passport information, according to Ivan Begtin, co-founder of NGO Information Culture.

The researcher disclosed his findings to Russian media in a set of three articles, with the latest released this week in RBC revealing around 360,000 records were exposed. The details exposed includes the passport details and personal information of former Russian deputy prime ministers Anatoly Chubais and Arkady Dvorkovich.

This is in addition to an article Begtin published last month revealing that 2.25 million records are publicly available from the websites of certification centres. In his findings, he outlined information for several exposed systems including those for arbitration courts and the Ministry of Defence, rating the criticality as 'high' for all.

Begtin summarised his wider findings in a Facebook post, adding that he notified Russian authorities several times as early as eight months ago. But the Roskomnadzor, Russia's communications agency, "did not react".

He blamed errors in legislation, miscalculations by developers and shoddy work by data regulators as the core reasons why such a vast amount of information has been exposed by these government sites.

Begtin also cited a lack of professionalism with the IT developers who have built the sites, and are responsible for their maintenance.

Russia has not adopted the EU's General Data Protection Regulation (GDPR), rather its data regulators lean on a set of several data protection laws dating back to the previous decade, such as the Russian Personal Data Law 152-FZ of 2006.

The Russian communications agency responded to Begtin's findings shortly after he released his post, suggesting the data may have been intentionally made public and that there are no violations of data protection laws.

"An analysis of the situation has shown that such publication of personal data falls under the legal grounds provided for by article 6 of the Federal Law 'On Personal Data'," a Roskomnadzor spokesperson said.

"In particular, there are cases when personal data are subject to publication or mandatory disclosure to an unlimited number of persons for the implementation and fulfilment of the functions, powers and duties assigned by the Russian legislation to the operator."

The agency claimed the information published on the Ministry of Justice's website did not contain passport data.

Begtin's research highlights the importance of digital transformation, particularly in large public sector organisations where systems can date back as far as 30 years. Robust systems and practices can, in particular, prevent data leakages where sensitive information is concerned.

In the UK, the government was warned earlier this year that it must focus on replacing legacy IT or face risks of hanging onto outdated systems.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021