Hundreds of thousands of ID photos illegally downloaded in Estonia

  • 2021-07-28
  • BNS/TBT Staff

TALLINN - Experts from the Estonian Information System Authority (RIA) and the Police and Border Guard Board have halted the downloading of hundreds of thousands of document photos from the national identity documents database following a security flaw in a service for the provision of photographs managed by RIA.

The company SK ID Solutions notified RIA on July 16 of an increase in the number of queries. On July 21, through additional monitoring, RIA detected a massive download of data from the identity document database KMAIS and closed the service, spokespeople for RIA said on Wednesday.

The following day, RIA determined the potential IP address through which the ID photos were downloaded and will forward the information to the police. RIA also opened an internal investigation to find out the reason that allowed the manipulation of the control mechanism of the photo provision service.

The suspect downloaded the photographs of 286,438 people from the identity documents database using forged digital certificates. The suspect did not gain access to the database, but abused a security vulnerability in a service managed by RIA, which made it possible to obtain a person's ID photo using queries.

RIA shut down the photo provision service immediately after the misuse of the service was detected and fixed the security flaw. On July 23, the police detained the suspect in Tallinn and a criminal investigation has been launched.

The service in question, whose security vulnerability was exploited, is structured in such a way that an additional check by five subsystems is required to obtain the photos. The suspect discovered a security flaw in one of RIA's applications, which did not sufficiently check the validity of the query received. 

"Such manipulating of systems requires knowledge of the domain, skill and, as a rule, also well thought-out preparation. The attacker had to know the person's name and personal identification code in order to make the system think that the person was trying to download his or her own photograph," said Margus Noormaa, director general of RIA. 

Oskar Gross, head of the cyber crime bureau at the Central Criminal Police, said that police started to work with RIA experts to investigate what had happened and managed to find data enabling to identify the suspect. 

"Where usually, when talking about cyber crime, we talk about international crime, in this case the suspect was operating in Estonia, which allowed him to be detained quickly. During the searches, investigators found photographs downloaded from the database in his possession, along with people's names and personal identification codes. At this time, we have no reason to believe that the suspect maliciously exploited or forwarded this data, but during the proceedings we will further specify the possible motives for the act," Gross said. 

RIA experts have additionally checked other services to rule out similar security weaknesses.

"As a result of the monitoring, we have not detected any potential attack paths, but we will move on with the checks. We are constantly working with our partners to detect vulnerabilities before someone exploits them with bad intentions," said Noormaa. 

According to Minister of Entrepreneurship and Information Technology Andres Sutt, this cyber incident illustrates the cyber threats that are ever growing globally, which is why the defense capability of the cyber sector is also being raised in Estonia.

"Cyber ??security is an integral part of the functioning of the Estonian digital state and a matter of national security. In recent months, the frequency, scope and intensity of cyber attacks have increased, which demonstrates a changed threat picture in cyberspace," said Sutt.

Examples of this, according to the minister, include attacks on state institutions, infrastructure, health care systems and, more recently, service providers on which Swedish grocery stores depended, as well as ransomware attacks on Estonian businesses, for example. 

"Our national systems have not remained untouched either, and in the light of growing cyber threats, we are further enhancing our cyber capabilities. If in national defense we have a clear target, meaning 2 percent of GDP, then in the area of cybersecurity we do not have such a goal, although our digital society also needs protection. My goal is to agree on a similar target for cybersecurity investments, which will become an international benchmark," Sutt added. 

The Police and Border Guard Board will send a notification to the e-mail address linked to the state portal to all those whose document photo was illegally downloaded. No one whose photo was downloaded will have to take a new photo or apply for a new document.

None of Estonia's national e-services can be logged in to, or notarial or other transactions executed using a document photo, a person's name and personal identification code. What happened has no effect on the ID-card, the residence permit card, mobile-ID or Smart-ID, RIA said. 

On the basis of the information available at this stage, the data theft is not linked to the recent incident concerning personal data being visible in the authorization management system's self-service environment, the national information system authority added.