Sensitive data of 2.25 million Russians exposed online

Passport information of senior officials are publicly accessible after a researcher identifies leaky government sites

A computer with data overlaid onto the Russian flag

More than 2.25 million Russian citizens' personal details have been exposed online through misconfigured government websites, including the passport information of high-profile Russian government officials.

An examination of a swathe of government platforms has found 23 sites leaking citizens' insurance account numbers and 14 sites leaking passport information, according to Ivan Begtin, co-founder of NGO Information Culture.

The researcher disclosed his findings to Russian media in a set of three articles, with the latest released this week in RBC revealing around 360,000 records were exposed. The details exposed includes the passport details and personal information of former Russian deputy prime ministers Anatoly Chubais and Arkady Dvorkovich.

This is in addition to an article Begtin published last month revealing that 2.25 million records are publicly available from the websites of certification centres. In his findings, he outlined information for several exposed systems including those for arbitration courts and the Ministry of Defence, rating the criticality as 'high' for all.

Begtin summarised his wider findings in a Facebook post, adding that he notified Russian authorities several times as early as eight months ago. But the Roskomnadzor, Russia's communications agency, "did not react".

He blamed errors in legislation, miscalculations by developers and shoddy work by data regulators as the core reasons why such a vast amount of information has been exposed by these government sites.

Begtin also cited a lack of professionalism with the IT developers who have built the sites, and are responsible for their maintenance.

Russia has not adopted the EU's General Data Protection Regulation (GDPR), rather its data regulators lean on a set of several data protection laws dating back to the previous decade, such as the Russian Personal Data Law 152-FZ of 2006.

The Russian communications agency responded to Begtin's findings shortly after he released his post, suggesting the data may have been intentionally made public and that there are no violations of data protection laws.

"An analysis of the situation has shown that such publication of personal data falls under the legal grounds provided for by article 6 of the Federal Law 'On Personal Data'," a Roskomnadzor spokesperson said.

"In particular, there are cases when personal data are subject to publication or mandatory disclosure to an unlimited number of persons for the implementation and fulfilment of the functions, powers and duties assigned by the Russian legislation to the operator."

The agency claimed the information published on the Ministry of Justice's website did not contain passport data.

Begtin's research highlights the importance of digital transformation, particularly in large public sector organisations where systems can date back as far as 30 years. Robust systems and practices can, in particular, prevent data leakages where sensitive information is concerned.

In the UK, the government was warned earlier this year that it must focus on replacing legacy IT or face risks of hanging onto outdated systems.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021
SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021