TALLINN - In a press release published after reports that data security flaws have allowed outsiders to get access to the data of customers of some Estonian retailers and service providers, the Information System Authority (RIA) urged all individuals and businesses to take a serious approach to data protection.
"People should think carefully about what data they provide and to where, because after providing it they no longer control their data. Our recommendation for businesses is to regularly test the security of your online environments and other systems, regularly identify and patch software weaknesses. All this is many times cheaper than dealing with consequences later," Uku Sarekanno, head of the cybersecurity service at RIA, said.
This week and last week, two businesses and one municipality informed RIA about their data and transactions being public and accessible on the internet. In total, data concerning at least 34,000 individuals and 100,000 transactions was accessible online.
It was possible to publicly access the user data of the charlot.ee online store and the Bewegen company providing bike share service in Tartu, as well as data related to 100,000 transactions by corporate clients of fuel retailer Olerex.
"According to initial estimates, the data was public as a result of human error. RIA however did start supervision proceedings with regard to all three parties to find out whether their information systems are sufficiently protected," Sarekanno said.
The CERT-EE incident handling unit of RIA received information from Olerex on the evening of July 9 that as a result of a relocation of equipment data about approximately 100,000 transactions by corporate clients had been left accessible to outsiders.
"As we have learned, what leaked was the name and the personal identification code of corporate clients, credit card data was not accessible. This doesn't mean that the data of 100,000 persons was accessible, but of 100,000 transactions at pump. We do not know the exact number of clients whose name, personal identification code and card limit could be found on the internet," Sarekanno said.
Olerex checked over also its other environments to rule out the possibility of a similar situation and is in the process of carrying out a security audit.
Sarekanno said that in the case of Olerex, data about transactions concluded in the past one-and-a-half months became accessible and the security weakness was eliminated on July 9.
"It was possible to find this data when knowingly searching for it, it was not that no matter who would come across it. The security weaknesses were probably searched out by a robot which tried to get into different databases. We also know that this data was in fact downloaded," Sarekanno said.
Information about a second major incident also reached RIA on July 9, when the city government of Tartu informed it about a security weakness in the database of the bike share service provider Bewegen. As a result of the flaw, the data of a little over 20,000 users could be accessed without authentication from the launch of the service until July 9, when the flaw was eliminated. The data that leaked included the user's name, e-mail address, phone number and user ID, which enabled to see where the person was moving. Also the personal identification codes of 7,180 users could be seen, as their account was linked to their bus card.
Information about the first of the recent data leaks was received by RIA thanks to a journalist on July 3, when it was revealed that catalogs containing the personal data of about 14,000 users of the Charlot e-shop were available online.
"Since in addition to the phone number, the name and the address also the e-mail address and the e-store login password as simple text were available, users of Charlot must change their passwords. It is more than likely that the password meant for logging into the e-store was in use also in other environments. If this data reaches cyber criminals, they will be able to log into other environments as well knowing the e-mail address and the password," Sarekanno said.