A hacker was able to obtain more than 280,000 personal identity document photos in an attack on the Republic of Estonia’s State Information System on 23 July 2021, before authorities were able to stop him.
The hacker had obtained personal names and ID codes and as well as a third component, the photos, by making individual requests from thousands of IP addresses.
The suspect did not gain direct access to the database; rather, he used a malware network and forged digital certification to take advantage of a security vulnerability in one of the applications, a photo transfer service, managed by Estonian Information System Authority (RIA). That service requires additional checks of five subsystems to obtain the photos. However, the hacker discovered that the system did not sufficiently check the validity of the query. “The manipulation of systems in this way usually requires special knowledge, skill, and preparedness. The attacker had to have known a person’s name and a personal identification code to make the system think that the person was trying to download their own photo,” said Margus Noormaa, Director General of RIA.
RIA shut down the photo transfer service immediately after its misuse was discovered and fixed the security flaw. The RIA has subsequently checked other services to rule out similar security vulnerabilities. “As a result of the monitoring, we have not detected any possible attack vectors, but we will continue to check for those. We are constantly working with our partners to detect vulnerabilities before anybody can maliciously exploit them,” Noormaa explained.
Estonian citizens can rest assured
All previously compromised data is now safely back in state hands, and all individuals whose data was compromised will be notified via the state portal. The suspect is in custody.
Fortunately, the data collected was not sufficient to give the hacker access to e-state services; thus, the normal means of authentication (ID card, mobile ID and SMART ID) were not compromised.
The Republic of Estonia Information System Authority