Šarūnas Grigaliūnas, head of the Cybersecurity Competence Center at Kaunas University of Technology, told 15min that the IT department of the Registry Center faces a long road ahead in conducting an internal investigation and checking the supply chain.
Read more Firefighters: fire at London kosher food store not considered suspicious
However, the expert’s attention also turns to the institutions from which employee accounts were used to access the Registry Center’s data.
15min sources indicated that the leak leads to the accounts of Migration Department employees, which are suspected to have been hacked, and this was confirmed by law enforcement on Monday. The criminals could have taken over the accounts by hacking into those employees’ email.
“The fact that the Registry Center was accessed through user accounts means that all accounts that were used to log in or the institutions from which these accounts were used may also be compromised. This means that not only the Registry Center should conduct an audit or self-check, but also the institutions whose employees’ accounts were compromised. This means we have an entire compromised supply chain with different access points,” described the scale of the problem Š. Grigaliūnas.
According to him, it is important to conduct the investigation because the employees whose accounts were used to hack into the Registry Center likely had access to important data in their own institutions.
“This is just the beginning, you know. We will have a second wave when someone accumulates this data,” the expert speculated.
Still, Rokas Pukinskas, chief advisor of the Migration Department, assured 15min that no illegal activities have been recorded in the Migration Department’s systems.
“The Migration Department informs that all institution-managed information systems and databases are protected, and the personal data stored in them are safe and have not been illegally disclosed to third parties. No illegal activities have been recorded in the MIGRIS system,” the Migration Department’s statement says.
“We emphasize that the personal data collected and processed by the Migration Department are not provided on a self-service basis,” the Migration Department adds.
Data collected over several months
On Monday, residents shared on social networks that their real estate (RE) data was collected from January to April. It happened that different RE objects of the same owner were checked in different months.
Among the affected were politicians, journalists, public servants, and representatives of various other professions.
Š. Grigaliūnas said that such long-term data collection revealed that the Registry Center’s monitoring systems were insufficient or unable to identify the so-called user behavior deviation from the norm.
“For example, if this is Šarūnas’s work tool and he logs in during work hours to check a person’s relationship with some property record, that is normal because he is a representative of the institution and has the right to do so. It is not normal if Šarūnas logs in on a Saturday or Sunday or at night when he should not be working and obtains that information,” the expert pointed out.
Read more The Supreme Court confirmed the acquittal of Biržai district politicians in the corruption case
He also speculated that the criminals might have obtained lists of people whose property records needed to be “siphoned” on the dark net.
When was the crime discovered?
The institutions only learned about the data being siphoned since January after several months—in April.
As stated in a comment from the Ministry of Economy and Innovation (EIMIN) provided to 15min, on April 3, information was received from the Registry Center about an internal investigation by the Migration Department regarding possibly illegally obtained data of two individuals.
“On April 3, the Ministry of Economy and Innovation received information from the Registry Center about an investigation being conducted in the Migration Department’s Immunity Division regarding possibly misappropriated and illegally obtained data of two individuals through accounts belonging to the Migration Department,” the ministry’s comment states.
On the same day, April 3, the Migration Department provided “initial information” to the State Data Protection Inspectorate (VDAI), 15min was told by VDAI.
After 10 days—on April 13—the Registry Center also provided “initial information” to VDAI, although VDAI must be informed within 72 hours after a personal data leak.
On April 15, the Lithuanian Criminal Police Bureau informed the Registry Center about the initiation of a pre-trial investigation, and on April 21, an inter-institutional meeting was held at the Ministry of Economy and Innovation, where the scale of the data breach was reported.
On May 7, the Registry Center already contacted VDAI and submitted an official report about the personal data security breach. A week later, on May 15, VDAI started an investigation.
READ MORE: The Data Inspectorate revealed when the incident was reported: the first information was not from the Registry Center
The public learned about the unprecedented theft of residents’ personal data last Friday, May 22—after 15min inquiries, the Registry Center confirmed the incident information to the portal, and the General Prosecutor’s Office immediately after the 15min publication announced it was conducting an investigation into the possibly illegally “siphoned” data from the Registry Center. Soon the prosecutor’s office also publicly announced the investigation.
Residents were outraged about why they were not informed for three to four months that their sensitive personal data had leaked. Registry Center press representative Mindaugas Samkus explained to 15min that residents were decided to be informed after clarifying the circumstances.
“We learned about this case in April—we blocked the accounts and passed the information to the responsible institutions, which began investigating the case. After law enforcement started the investigation, it was decided that informing residents about the illegally disclosed data would take place once the factual circumstances were established and technical preparations for the notification were made,” said M. Samkus.
Read more Vilnius police are searching for a missing minor: may have traveled to another city
