Tax and PII records of 20 million Russians stored without encryption, leaked online

Sensitive data was available to anyone with a browser.

The true cost of a data breach in 2019 Wendi Whitmore, IBM X-Force global lead for incident response and intelligence services, talks to Tonya Hall about how the cost of data breaches is determined by the time it takes to detect and respond to the breach.

Over 20 million tax records belonging to Russian citizens were left unprotected and exposed through an online database accessible to the public, researchers say. 

This week, cybersecurity researchers from Comparitech, in partnership with Bob Diachenko, said that the unsecured server contained highly sensitive information spanning from 2009 to 2016.

The Amazon Web Services (AWS) Elasticsearch cluster, which was not protected by any form of credential requirements or overall encryption, exposed Personally Identifiable Information (PII) belonging to Russian nationals.

See also: German police storm bulletproof data center in former NATO bunker

Multiple databases were contained in the cluster. While some only stored publicly-available data and information the team called "random," two, in particular, contained PII and tax records which in the wrong hands could be used to conduct identity theft or to launch tailored phishing scams. 

The first database stored over 14 million records from 2010 to 2016, whereas the second contained 6 million records from 2009 to 2015. 

Names, addresses, residency status, passport numbers, phone numbers, tax IDs, employer names and telephone numbers, and tax values were exposed. 

CNET: Former Yahoo engineer pleads guilty to hacking 6,000 accounts in hunt for nudes

The majority of records appear to be connected to citizens from Moscow and the city's surrounding areas. 

The database was first indexed by search engines in May 2018. Diachenko found the server on September 17, 2019, and tracked down the owner, leading to the lockdown of the exposed information three days later. 

While the owner did make sure the database can no longer be accessed by the public, they did not respond to follow-up emails concerning ownership queries. 

"We cannot determine whether anyone else accessed the data while it was exposed," the researchers say. "We could only determine that the owner is in Ukraine and know little more about the party responsible."

TechRepublic: Top 5 tips to prevent ransomware

This is not the only time that leaky servers have exposed the data of country citizens en masse. In September, vpnMentor security researchers Noam Rotem and Ran Locar revealed a separate Elasticsearch that contained PII belonging to Ecuadorian nationals

Roughly 20.8 million user records were involved in the breach and information including names, family connections, national ID numbers, dates of birth, and financial data was exposed and available for anyone to view online. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0