Sensitive data of 2.25 million Russians exposed online

Passport information of senior officials are publicly accessible after a researcher identifies leaky government sites

A computer with data overlaid onto the Russian flag

More than 2.25 million Russian citizens' personal details have been exposed online through misconfigured government websites, including the passport information of high-profile Russian government officials.

An examination of a swathe of government platforms has found 23 sites leaking citizens' insurance account numbers and 14 sites leaking passport information, according to Ivan Begtin, co-founder of NGO Information Culture.

The researcher disclosed his findings to Russian media in a set of three articles, with the latest released this week in RBC revealing around 360,000 records were exposed. The details exposed includes the passport details and personal information of former Russian deputy prime ministers Anatoly Chubais and Arkady Dvorkovich.

This is in addition to an article Begtin published last month revealing that 2.25 million records are publicly available from the websites of certification centres. In his findings, he outlined information for several exposed systems including those for arbitration courts and the Ministry of Defence, rating the criticality as 'high' for all.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Begtin summarised his wider findings in a Facebook post, adding that he notified Russian authorities several times as early as eight months ago. But the Roskomnadzor, Russia's communications agency, "did not react".

He blamed errors in legislation, miscalculations by developers and shoddy work by data regulators as the core reasons why such a vast amount of information has been exposed by these government sites.

Begtin also cited a lack of professionalism with the IT developers who have built the sites, and are responsible for their maintenance.

Russia has not adopted the EU's General Data Protection Regulation (GDPR), rather its data regulators lean on a set of several data protection laws dating back to the previous decade, such as the Russian Personal Data Law 152-FZ of 2006.

The Russian communications agency responded to Begtin's findings shortly after he released his post, suggesting the data may have been intentionally made public and that there are no violations of data protection laws.

"An analysis of the situation has shown that such publication of personal data falls under the legal grounds provided for by article 6 of the Federal Law 'On Personal Data'," a Roskomnadzor spokesperson said.

Advertisement - Article continues below

"In particular, there are cases when personal data are subject to publication or mandatory disclosure to an unlimited number of persons for the implementation and fulfilment of the functions, powers and duties assigned by the Russian legislation to the operator."

The agency claimed the information published on the Ministry of Justice's website did not contain passport data.

Begtin's research highlights the importance of digital transformation, particularly in large public sector organisations where systems can date back as far as 30 years. Robust systems and practices can, in particular, prevent data leakages where sensitive information is concerned.

In the UK, the government was warned earlier this year that it must focus on replacing legacy IT or face risks of hanging onto outdated systems.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019