Estonian police arrested a man from Tallinn that is suspected to have stolen 286,438 belonging to Estonians citizens from the government systems.
The hacker exploited a vulnerability in a photo transfer service vulnerability to download ID scans from the Identity Documents Database (KMAIS). The hacker did not breach e-state services.
At the time of this writing that is no evidence that the same vulnerability was exploited in the past by other threat actors.
“This data was not, however, enough for the hacker to access e-state services, meaning the normal means of authentication (ID card, mobile ID and SMART ID) have not been compromised.”
A joint operation conducted by the cybercrime Bureau of the National Criminal Police and RIA led to the identification of the Tallin resident.
“During the searches, investigators found the downloaded photos from a database in the person’s possession, along with the names and personal identification codes of the people,” Oskar Gross, head of the police’s cybercrime unit, said.
“Currently, we have no reason to believe that the suspect would have used or transmitted this data maliciously, but we will further clarify the possible motives for the act in the course of the proceedings.”
The good new is that stolen information could not be used to carry out financial transactions on behalf of legitimate citizens, RIA added that they cannot be used to access state digital services.
“It is not possible to gain access to e-services, give a digital signature, or to perform different financial transactions (incl. bank transfers, purchase and sales transactions, notarial transactions, etc.) using a document photo, personal identification code, or name,” states RIA Director General Margus Noormaa. “People whose document photos have been stolen need not apply for a new physical or digital document (passport, ID-card, residence permit card, mobile-ID or Smart-ID, etc.) or take a new document photo. All identity documents and photos remain valid.”
The Estonia ‘ Government will notify impacted citizens via email by the Estonian Police and Border Guard Board.
In a separate security breach that was disclosed earlier this month, hackers stole the personal data of over 300,000 citizens from the Eesti.ee state portal’s access rights management system.
“A hacker was able to obtain over 280,000 personal identity photos following an attack on the state information system last Friday. The suspect is reportedly a resident of Tallinn.The culprit had already obtained personal names and ID codes and was able to obtain a third component, the photos, by making individual requests from thousands of IP addresses.” reported the ERR website.
(SecurityAffairs – hacking, Estonia)