A recent hack by a single individual of close to 300,000 personal identification photos from the State Information System (RIA) is unlikely either to result in compensation to those whose data was stolen, or in a fine for RIA, ETV news show 'Aktuaalne kaamera' (AK) reported Friday night. A RIA spokesperson said in theory the leaked data could be used for setting up fake social media accounts.
Since those whose photos were obtained did not suffer any negative consequences of the hack, no compensation is due, RIA says.
Liisa Ojangu, legal adviser at another state agency, the Data Protection Inspectorate (AKI) added that state agencies cannot in any case be issued fines.
Ojangu told AK that: any individual who wanted to seek compensation would: "In the first stage … have to go to the RIA or the Police and Border Guard Board (PPA) in any case, and find out the extent of the damage, and then file your claim."
"If the authorities disagree, the next step is to recourse to the administrative court, which will then assess all these circumstances," Ojangu went on.
Ojangu added that there was at least one precedent, where a plaintiff did not receive compensation.
"A case is known from practice, where human health data and data related to disability was made publicly available via the document register of the institution in question, but the Supreme Court did not consider financial compensation necessary when assessing the circumstances of that case," Ojangu said.
The breach took place just over a week ago, on Friday, July 23, and saw 286,438 photos being downloaded en masse from 9,000 different domestic and foreign IP addresses, using a malware network and forged digital certification.
At the same time, the trifecta of photo, ID code and given names is not sufficient to misuse e-state systems via any of the three login methods – ID Card, Mobile ID and SMART ID – RIA says, though it could be sufficient for some types of identity fraud.
Gert Auväärt, RIA's Deputy Director General for Cyber Security, told AK that "Theoretically, based on a individual's photo and name, it is possible to create, for example, fake accounts on various social media platforms on the Internet."
"An even more theoretical possibility, one which could be carried out on the basis of a photograph and a name, would be rudimentary fake ID, though no service could be used on that basis, in Estonia at least," Auväärt went on.
The hacker, reportedly a resident of Tallinn, has already been apprehended.
Those whose data was compromised have been notified by email by the RIA; readers with an Estonian ID should check their inboxes if they have not done so already.
RIA says that its systems are constantly monitored, with attention stepped up even further after this week's leak.
One victim of the hack, Tatjana Kosmõnina, told AK that her trust in e-state services had fallen as a result of the incident, adding that the hacker ought to be rewarded, for exposing vulnerabilities in the national information system.
Kosmõnina, who has in the recent past been a newscaster for ERR's Russian-language portal, said that on receiving the RIA notification: "At first I thought it was some kind of internet hooligan, who wanted to take my money, and I thought in the very next email, they would write to me that if I wanted my photo back, to please send them some money."
"However, when I comprehended what had happened, I thought to myself, well, some other nonsense has happened with our e-government. What is there to do, nothing. So I laughed and forgot about it," she went on.
Editor: Andrew Whyte