Ivan Begtin, co-founder of Informational Culture, a Russian NGO, has discovered and documented the leaks.
In a three-part blog post series, Begtin said he investigated government online certification centers, 50 government portals, and an e-bidding platform used by government agencies.
He said he found 23 sites leaking individual insurance account number (SNILS; Russia's equivalent for a Social Security number) and 14 sites leaking passport information.
In total, the data of more than 2.25 million Russian citizens was available online, available for anyone to download, Begtin said.
Other data leaked from these sites included full names, job title and place of work, emails, and tax identification numbers.
While some leaks were harder to identify and required Begtin to extract metadata from digital signature files, some data could be found using a Google search for open web directories on government sites.
Begtin told ZDNet that he notified the government watchdog several times, but the agency did not come through to secure the leaky government sites, but in fact claimed the data was legal to disclose.
After trying to raise awareness to this issue by publishing three blog posts in late April [1, 2, 3], Begtin shared his findings today with Russian news site RBC, which published an in-depth exposé.
The newspaper's own investigation unearthed the passport and personal details of several high-profile Russian government officials, such as deputy chairman of the Russian Duma (Parliament) Alexander Zhukov, former deputy prime minister Arkady Dvorkovich, and former deputy prime minister Anatoly Chubais.
On the same day, the Roskomnadzor published a statement reiterating its stance that the data was never supposed to be private. Begtin told ZDNet that the data is still available online.
The researcher blamed the leak on the government's inconsistency when dealing with document management operations, low-skilled IT personnel, and the lack of internal monitoring solutions that could have alerted operators about the exposed data.