Personal Data of 20M Russian Tax Payers Was Exposed, but a Data Breach Has Not Been Confirmed Yet
Someone made a basic configuration mistake, and because of this, millions of Russian citizens now have a very good reason to be concerned. As you might have guessed already, that someone put people's data in a server and then failed to protect it with a password.
The poorly configured Elasticsearch cluster was hosted by Amazon Web Services and was discovered by researchers from Comparitech as a part of their ongoing effort to find and secure this sort of data leaks. The cluster contained multiple databases, and most of them held "random and publicly sourced data". Two of the databases, however, were full of sensitive personal information, and Comparitech's researchers immediately called in Bob Diachenko to help with the investigation.
20 million tax and personal records exposed
The first database contained 14 million records gathered between 2010 and 2016, and the second one held more than 6 million records amassed between 2009 and 2015. The exposed data included:
- Passport numbers
- Phone numbers
- Tax ID numbers
- Employer information
- Tax amounts
Comparitech's researchers admitted that they don't know the ins and outs of Russia's tax system, and it is indeed hard to determine what sort of damage cybercriminals can do with this information. It should be obvious to anyone, however, that these details are not supposed to be publicly accessible.
Immediately after finding it, Diachenko and Comparitech tried to notify the database's owner, and on September 20, just three days after the leak's discovery, the cluster was taken offline. The data is now secured, which is the most important thing. Some questions still remain unanswered, though.
Who collected the leaked data?
Identifying the owner of the database after the discovery of such leaks is a priority for security researchers. On this occasion, the experts did manage to learn that the cluster had been put up by someone based in Ukraine, and they sent out some emails immediately.
The database was taken down, but the owner didn't reply, which means that we know nothing about the people responsible for the leak. We have no idea if they even had the legal right to collect this sort of data. What we do know is that the millions of Russian citizens whose information was in the cluster were probably none the wiser.
Was the data breached?
The owner of the database might also have the ability to check some logs and determine whether or not the data has been accessed by cybercriminals. Their unwillingness to talk, however, means that at this point, we have no way of saying if the data has been compromised.
The researchers did say, however, that the database was first indexed by search engines in May 2018. In other words, over 20 million records containing extremely sensitive information were accessible to anyone armed with a web browser and the right search query. This, on its own, is scary enough.