A hacker was able to obtain over 280,000 personal identity photos following an attack on the state information system last Friday. The suspect is reportedly a resident of Tallinn.
The culprit had already obtained personal names and ID codes and was able to obtain a third component, the photos, by making individual requests from thousands of IP addresses.
This data was not, however, enough for the hacker to access e-state services, meaning the normal means of authentication (ID card, mobile ID and SMART ID) have not been compromised.
A Information System Authority RIA database holding document photos was compromised.
Speaking at a press conference Wednesday, Oskar Gross, head of the central criminal police cyber crime office, said that: "To date, the individual who committed the attack has had the data he hacked seized and confiscated by the police," adding that the perpetrator was a resident of Tallinn.
The attack did not seem to have too much rhyme and reason to it, head RIA Margus Noormaa, who also appeared at the press conference, said.
He said: "The [hacked] photos were random; there was no purpose here other than to get them."
These, totaling 286,438, had been downloaded en masse from 9,000 different domestic and foreign IP addresses, using a malware network and forged digital certification and taking advantage of a vulnerability, Noormaa said, adding that digitally-stored photos were the only data the hacker had been able to obtain; no database had been compromised.
The data the hacker obtained, namely picture, personal ID code and the individual's name, were insufficient to access any of Estonia's e-state services, Noormaa said, adding that all those whose data was compromised in this way will be notified via the state portal.
IT minister: Clear attack on the Estonian state
IT and foreign trade minister Andres Sutt (Reform) called the incident a clear attack on the Estonian state.
Sutt said that: "Cybercrime is clearly on the rise, and that means we need to constantly invest in cyber security at both public and private levels," adding that he plans to raise this issue and its possible funding at Thursday's cabinet meeting.
"I will be speeding up the replacement of some older, legacy data systems and solutions," Sutt said.
"We have begun consolidating basic IT infrastructure and support, which in turn will bolster cyber security," he added.
The hacker had first obtained people's personal identification codes and names from the public web, after which he or she was able to obtain photos by making individual requests.
"These types of queries go via the public web, making the attack possible in this way," Margus Noormaa said.
Oskar Gross said the police was notified of the breach last Thursday, with a suspect search following Friday morning, while the suspect has already been questioned.
All previously compromised data is now safely back in state hands, he said. "As this is a case of national importance, it also merited a quick response."
RIA has provided a list of frequently asked questions in relation to the incident which ERR News republished below.
In summary, RIA said:
- it is not possible to falsify any person's digital identity based on a document photo, a name and a personal identification code;
- with these data it is not possible to access any state e-services, carry out any notarial and other financial transactions;
- theft of these data has no effect on any physical or digitally used document, i.e. the ID-card, the residence permit, the Mobile-ID or the Smart-ID;
- all Estonian e-services are safe and no person, whose photo was downloaded needs to apply for a new document.
Was my data stolen?
All those whose document photo with their personal identification code and name was stolen will receive a notification to their email address to which they have directed notifications sent by the state. The data set that fell into the hands of the criminal includes a document photo, first name and surname, and the personal identification code of a person.
What should I do if it turns out that my data has been stolen?
Based on the current information, we know that the data was not transmitted further from the suspect's computer. Therefore, there is reason to believe that the data have not been misused more.
However, if the data was transmitted, it is important to consider the possibility that the combination of a picture, name, and personal identification code can only be used to create a rudimentary fake document (without security features). It is possible that such a document could be used for some services which identify people using a photo (e.g. vehicle and/or bike rent). Such services are used more abroad. It is also possible to create fake social media accounts, for example.
Note! If you suspect that someone has used your data in any one of these ways, report this to the police.
It is important to remember that the theft of this data has no impact on ID-cards, Mobile-ID, or Smart-ID. All identity documents will also be valid, including the documents, the document photos of which were illegally downloaded. It is not possible to gain access to e-services, give a digital signature, or to perform different financial transactions (incl. bank transfers, purchase and sales transactions, notarial transactions, etc.) using a document photo, personal identification code, or name. People whose document photos have been stolen need not apply for a new physical or digital document (passport, ID-card, residence permit card, mobile-ID or Smart-ID, etc.) or take a new document photo. All identity documents and photos remain valid.
How did the criminal gain access to my data (photo, personal identification code, and name)?
In order to download document photos, the criminal needed to know the person's name and personal identification code. Although this is public data, i.e. available from various public databases, the exact origin of the data and the motives of the criminal need to be established by the investigation. With the help of the people's names and personal identification codes, the criminal managed to forge the person's certificate so that the system thought that the person, instead of the criminal, was the one who wanted to download the photo. RIA identified and corrected the system error. Such manipulation is no longer possible.
Who and for what reason wanted my data?
The police have arrested an Estonian citizen whose computer was used to commit the theft. The questions of whether the person acted alone, what was the person's aim, and what did the person want to do with the data remain to be clarified by a criminal investigation.
Has anyone else stolen the data of Estonian people in this way because of a system flaw?
According to the information we currently have, we have no reason to believe that something similar would have been done before, but we are checking this information.
How long did this flawed system function before the discovery of the flaw?
Although this solution was created with this flaw several years ago, current monitoring and information gives no reason to believe that such an attack against the system would have succeeded in the past.
Editor's note: This article was updated to add the FAQs.
Editor: Andrew Whyte, Helen Wright