The Central Criminal Police carried out procedural acts in Tallinn earlier this week with regard to two young men who are suspected of breaking into the information system of Itella parcel machines last fall and downloading the data of nearly 10,000 people.
According to the initial suspicion, two local young men, aged 15 and 19, obtained access to Itella's information system and downloaded the data of nearly 10,000 people.
The suspects compiled a detailed overview of the security vulnerability and published it online along with people's details, making the names, email addresses and mobile phone numbers of Itella customers publicly available.
Ago Ambur, head of the cyber crime bureau of the Central Criminal Police, said the suspects were identified despite their attempts to cover their tracks.
«The search for vulnerabilities, whether motivated by financial or intellectual interest, is a very common phenomenon in the cyber world. There are legal ways to look for such vulnerabilities and to report them responsibly. In this case, an information system was hacked into without the consent of the owner, data was downloaded and detailed information about the vulnerability was posted on social media for all to read,» Ambur said.
«Young people's interest in cyber security is very welcome, but you have to stay within the bounds of the law. Hacking can also be done legally, as many companies themselves call to report security vulnerabilities found in their systems. There are also special environments that mediate such activities, and there are several employers in Estonia who officially pay wages for such activities,» the head of the cyber crime bureau said.
State Prosecutor Vahur Verte said the investigation must now clarify the motives behind the act and the exact role of the suspects. After the end of the pre-trial proceedings, the prosecutor's office will decide about the further course of action in said proceeding.
«The service provider must make sure that customers' data is secured and kept in the best way, that IT systems are up to date and that security updates required by manufacturers are in place. While every step leaves a trail in cyberspace that allows the police find the perpetrator, catching the suspect does not mitigate the damage done to customers -- data entrusted to the service provider has fallen into the hands of strangers, often people with bad intentions. Cyber security is expensive, but not investing in it is even more so,» said Verte.
The investigation was opened under the section of the Penal Code that deals with illegal obtaining of access to a computer system. The 19-year-old is also suspected of using a forged document.
The case is being investigated by the cyber crimes bureau of the Central Criminal Police under the supervision of the Office of the Prosecutor General.