Information authority urges attention to cybersecurity following breaches
The Information System Authority (RIA) has urged both individuals and businesses to take seriously the issue of data protection and security. The announcement follows several recent, potentially serious data leaks, involving the retail and service sector, as well as one municipality, Baltic News Service reports.
Breaches occurring happened over the past two weeks, and affected charlot.ee online office supplies store, Bewegen bike share service in Tartu, and fuel retailer Olerex. In the latter case, data from as many as 100,000 transactions had been compromised. From July 9, the compromise issues were resolved, but the RIA is keen to highlight the incidents to avoid future reccurences.
Information about the first of the recent data leaks was received by the RIA on July 3 thanks to a journalistic source, who revealed that catalogs containing the personal data from about 14,000 charlot.ee customers were viewable online, BNS reports. The data would have potentially enabled wrongdoers to make purchases from the site using the compromised account data.
"Since in addition to phone numbers, the names, addresses, e-mail addresses and the e-store login passwords, as simple text, were available, users of charlot.ee need to change their passwords," said Uku Särekanno, RIA head of cybersecurity.
"It is more than likely that the password assigned to the e-store account was also in use in other environments (i.e. users may use the same password across the board-ed.). If this data reaches cybercriminals, they will be able to log into other environments as well, if they have both e-mail address and password," Särekanno said.
"People should think carefully about what data they provide and to where, because after providing it they no longer control their data," Uku Särekanno continued.
"Our recommendation is that businesses regularly test the security of their online environments and other systems, identifying and patching software vulnerabilities. This all works out many times more cost-effective than dealing with the consequences later," he noted.
"According to initial investigations, the data breach resulted from human error. The did RIA however start supervision proceedings with regard to all three parties to find out whether their information systems are sufficiently protected," Särekanno added.
The fuel station chain Olerex saw data from around 100,000 transactions by corporate clients compromised following relocation of equipment, the RIA announced Thursday.
"Olerex has confirmed that the data was downloaded on one occasion and by one person," the RIA said.
"The identity of that person is known. Olerex says no sensitive personal data leak has occurred from their database, and the data set downloaded by the individual has by now been destroyed," spokespersons for the organisation continued.
"From what we have learned, the leak concerned names and personal ID codes from corporate clients, though credit card data was not accessible," the RIA added.
"This doesn't mean that 100,000 persons' data was accessible, but that of 100,000 transactions at the pumps," said Uku Särekanno, adding that the precise number of clients whose details – name, ID code and card limit (but not numbers), might be found somewhere on the internet.
Olerex says it checked over other environments to rule out the possibility of a similar breach elsewhere, and is in the process of carrying out a security audit.
Särekanno said that the Olerex breach concerned transactions concluded in the previous month and a half, with the security weakness eliminated on July 9.
"This data would have been accessible to anyone knowingly seeking it out. The security weaknesses were probably examined by a bot, which tried to enter various databases. We also know that this data was in fact downloaded," Särekanno continued.
Tartu bike-sharing breach
Information about a third major incident also reached the RIA on July 9, when Tartu city government gave notice of security flaws in the database at bike share service provider Bewegen. As a result of the vulnerability, the data of a little over 20,000 users could be accessed without authentication from the launch of the service, down to July 9, when the flaw was eliminated.
Leaked data included users' names, e-mail addresses, phone numbers and user IDs, which together could have potentially revealed users' locations. ID codes from over 7,000 users were also visible, since the Bewegen accounts were linked to travel cards, according to BNS.
Editor: Andrew Whyte