Multiple Russian government sites have leaked the personal and passport details of more than 2.25 million citizens including government officials and high-ranking politicians in the country’s latest massive data leak.
The data breach was discovered and documented by privacy expert Ivan Begtin, co-founder of Informational Culture, a Russian NGO.
Begtin has posted a blog series in three-parts which stated he has investigated government online certification centers, 50 government portals, and an e-bidding platform used by government agencies.
He found 23 sites leaking individual insurance account number (SNILS; Russia’s equivalent for a Social Security number) and 14 sites leaking passport information.
It is estimated that in total, the data of more than 2.25 million Russian citizens was available online which could be downloaded by anyone.
The data leaked also includes full names, job title and place of work, emails, and tax identification numbers.
Some of the data were difficult to identify for which the metadata has to be extracted from digital signature files, while there were some data which could be easily obtained using a Google search for open web directories on government sites.
The researcher said that he contacted Roskomnadzor, Russia’s government agency in charge of data privacy around eight months ago. He also notified the government watchdog numerous times, but the agency did not take any measures to secure the leaky government sites.
Begtin tried to raise awareness regarding this by publishing three blog posts in late April, after which he shared his findings with Russian news site RBC, which published an in-depth exposé.
The newspaper’s own investigation unearthed the passport and personal details of several high-profile Russian government officials, such as deputy chairman of the Russian Duma (Parliament) Alexander Zhukov, former deputy prime minister Arkady Dvorkovich, and former deputy prime minister Anatoly Chubais.
According to the researcher, the leak is due to the government’s inconsistency while dealing with document management operations, low-skilled IT personnel, and the lack of internal monitoring solutions that could have alerted operators about the exposed data.