Multiple Russian government sites have leaked the personal and passport information of over 2.25 million citizens, government employees, and high-ranking politicians.
Ivan Begtin, co-founder of Informational Culture, a Russian NGO, has discovered and documented the leaks.
In a three-part blog post series, Begtin said he investigated government online certification centers, 50 government portals, and an e-bidding platform used by government agencies.
He said he found 23 sites leaking individual insurance account number (SNILS; Russia’s equivalent for a Social Security number) and 14 sites leaking passport information.
In total, the data of more than 2.25 million Russian citizens was available online, available for anyone to download, Begtin said.
Other data leaked from these sites included full names, job title and place of work, emails, and tax identification numbers.
While some leaks were harder to identify and required Begtin to extract metadata from digital signature files, some data could be found using a Google search for open web directories on government sites.
Russian government notified eight months ago
In a Facebook post today, the researcher said he contacted Roskomnadzor, Russia’s government agency in charge of data privacy, eight months ago. Begtin said he notified the government watchdog several times, but the agency did not come through to secure the leaky government sites.
After trying to raise awareness to this issue by publishing three blog posts in late April [1, 2, 3], Begtin shared his findings today with Russian news site RBC, which published an in-depth exposé.
The newspaper’s own investigation unearthed the passport and personal details of several high-profile Russian government officials, such as deputy chairman of the Russian Duma (Parliament) Alexander Zhukov, former deputy prime minister Arkady Dvorkovich, and former deputy prime minister Anatoly Chubais.
The researcher blamed the leak on the government’s inconsistency when dealing with document management operations, low-skilled IT personnel, and the lack of internal monitoring solutions that could have alerted operators about the exposed data.