Hacker gains access to hundreds of thousands of document photos

Ära usalda oma ID-kaarti ja PIN koode võõrastele. PHOTO: Sander Ilvest

A vulnerability in the images service of Estonia's personal identification documents database allowed a hacker to download the photos of nearly 300,000 Estonians whose names and personal identification codes they already had.

State Information System’s Authority (RIA) experts discovered last week that the RIA-administered system has been attacked: 9,000 IP addresses in Estonia and abroad were used to download 286,438 personal identification document photos.

Head of RIA Margus Noormaa said that the attack was made possible by a vulnerability in the database. People have the option of downloading their own passport photo. The latter service hid a security vulnerability that was exploited by the hacker. The online service lacked sufficient security checks, while one security layer was also not working properly. The reason for the latter needs further investigation, Noormaa said.

RIA made it impossible to exploit the vulnerability upon learning of the breach and filed an application with the police who promptly identified the attacker as a man living in Tallinn. “The suspect’s place of residence was searched and the suspect interrogated on Friday morning,” said Oskar Gross, head of the police’s cybercrime unit. The attacker was not arrested.

Homework necessary

The downloaded data was confiscated and has, according to the authorities, not been shared with anyone. “The data is in the state’s safekeeping, and we have no information to suggest it has reached third persons,” Gross said. Because the investigation is still in the early phase, it is too soon to talk about the hacker’s motives.

The attacker must have done his homework: collect the personal identification codes and names of people before going after the photos. Noormaa said that the attacker did not access the database but just the photos service for which he had to run individual database queries.

“The attacker had no other aim than to access as many photos as possible,” Noormaa said. “The data cannot be used to access a single service and everything remains as secure as before,” the head of RIA added.

Oskar Gross said that the data could have been used to commit identity crimes that require people’s personal data, for example, for the purpose of creating user accounts.

“I would refrain from giving people too many ideas in terms of what could be done with the data,” Gross said. “People affected who feel their data has been used somewhere should notify the authorities at once. Human creativity is limitless, while we are hoping third persons have not gained access to the data.”

The police are investigating the incident as preparation for committing a computer crime. Noormaa said that such an attack could not have been perpetrated by someone who does not have expert knowledge. “The people in this room could not successfully perpetrate such an attack, it requires know-how,” Noormaa said.

Attack against the state

He said that it took the hacker time to collect people’s names and personal codes. The latter are not classified and can be found singly in different information systems. Whether the attacker did this by hand or used other methods will be determine in the course of proceedings. It will also be ascertained when the perpetrator first launched relevant efforts. The photos database was first breached on July 12, which activity was stopped nine days later.

Minister of Entrepreneurship and Information Technology Andres Sutt said that cybersecurity is a part of national security and that the act constituted an attack against the state. The minister deems it necessary to boost cybersecurity investments and introduce a fixed rate of spending in GDP.

Sutt promised to ask for additional investments from government reserves to speed up replacement of outdated systems and hardware.

People whose photos were accessed by the hacker will be notified by email using their eesti.ee account. The notification requires no action on the person’s part.