Multiple Russian government sites have leaked the personal and passport information of over 2.25 million citizens, government employees, and high-ranking politicians.
Ivan Begtin, co-founder of Informational Culture, a Russian NGO, has discovered and documented the leaks.
In a three-part blog post series, Begtin said he investigated government online certification centers, 50 government portals, and an e-bidding platform used by government agencies.
He said he found 23 sites leaking individual insurance account number (SNILS; Russia's equivalent for a Social Security number) and 14 sites leaking passport information.
In total, the data of more than 2.25 million Russian citizens was available online, available for anyone to download, Begtin said.
Other data leaked from these sites included full names, job title and place of work, emails, and tax identification numbers.
While some leaks were harder to identify and required Begtin to extract metadata from digital signature files, some data could be found using a Google search for open web directories on government sites.
Russian government notified eight months ago
In a Facebook post today, the researcher said he contacted Roskomnadzor, Russia's government agency in charge of data privacy, eight months ago.
Begtin told ZDNet that he notified the government watchdog several times, but the agency did not come through to secure the leaky government sites, but in fact claimed the data was legal to disclose.
The newspaper's own investigation unearthed the passport and personal details of several high-profile Russian government officials, such as deputy chairman of the Russian Duma (Parliament) Alexander Zhukov, former deputy prime minister Arkady Dvorkovich, and former deputy prime minister Anatoly Chubais.
On the same day, the Roskomnadzor published a statement reiterating its stance that the data was never supposed to be private. Begtin told ZDNet that the data is still available online.
The researcher blamed the leak on the government's inconsistency when dealing with document management operations, low-skilled IT personnel, and the lack of internal monitoring solutions that could have alerted operators about the exposed data.
More data breach coverage:
- Indiana Pacers disclose security breach
- Twitter bug shared location data for some iOS users
- US charges one of the Anthem hackers
- Turkey fines Facebook for December 2018 API bug
- Hackers are collecting payment details, user passwords from 4,600 sites
- Unsecured server exposes data for 85% of all Panama citizens
- Facebook passwords by the hundreds of millions sat exposed in plain text CNET
- Facebook data privacy scandal: A cheat sheet TechRepublic