A few weeks ago, at the end of July, many of my friends started receiving e-mails stating that their personal data had been compromised. Turns out, they were only a few of hundreds of thousands of people as the Estonian Information System Authority’s (Riigi Infosüsteemi Amet – RIA) database which included identification document photos was recently compromised due to a security vulnerability in a service managed by RIA.
Nature of the breach
According to the news, the hacker had first obtained people's personal identification codes and names from the public web, after which he/she was able to obtain the photos by making individual requests. By using names and personal identification codes, the hacker managed to create a situation where the system thought that it was the person who wanted to download his/her photo. RIA was notified of the increased number of inquiries on 16 July and detected a mass download of data through additional monitoring on 21 July.
According to RIA, the digitally-stored photos were the only data the hacker had been able to obtain and no databases had been compromised. According to RIA, they identified and corrected the system error and claimed that such manipulation is no longer possible.
Criminal investigations ongoing
The police arrested an Estonian citizen whose computer was used to commit the theft. Criminal investigations are ongoing.
Potential consequences for those affected
Claimedly, the data were not transmitted further from the suspect's computer and there is no reason to believe that the data have been misused.
According to RIA, it is unlikely that any severe consequences follow to those affected by the breach as it is not possible to falsify anyone’s digital identity based on the relevant data (i.e., document photo, name and personal identification code) and it is not possible to access any state e-services, carry out any notarial or other financial transactions, etc.
It was noted, however, that if the data were transmitted to another party, there is a possibility that the combination of photo, name, and personal identification code can be used to create a rudimentary fake document (without security features) and use such document for some services which identify people using a photo (e.g., vehicle and/or bike rent), as well as create fake social media accounts.
Potential consequences for RIA
The Estonian Data Protection Inspectorate commented that no fines can be issued against a state authority and it was unlikely that the affected persons could claim compensation. Considering that the Estonian Supreme Court recently decided not to award financial compensation in a situation where a person's health data and data related to disability were publicly available in the document register of a public institution (Social Insurance Board), it indeed seems rather unlikely. Time will tell whether any severe consequences follow to the persons concerned and whether that may give basis for claiming compensation.
Article provided by: Mari-Liis Orav (TGS Baltic, Estonia)
Dr. Tobias Höllwarth (Managing Director INPLP)