Estonia arrests hacker who stole 286K ID scans from govt database

Image: Stanislav Rabunski

A Tallinn man was arrested a week ago in Estonia under suspicion that he has exploited a government photo transfer service vulnerability to download ID scans of 286,438 Estonians from the Identity Documents Database (KMAIS).

The attacker was apprehended on July 23, following a Cybercrime Bureau of the National Criminal Police and RIA joint investigation that started after RIA was alerted of a higher than the usual number of queries.

“During the searches, investigators found the downloaded photos from a database in the person’s possession, along with the names and personal identification codes of the people,” Oskar Gross, head of the police’s cybercrime unit, said.

“Currently, we have no reason to believe that the suspect would have used or transmitted this data maliciously, but we will further clarify the possible motives for the act in the course of the proceedings.”

Stolen info cannot be used for fraud

The suspect downloaded the government document photos using the targets’ names and personal ID codes (available from various public databases).

RIA added that the stolen information could not be used to perform notarial or financial transactions or gain access to state digital services by impersonating the impacted individuals.

“It is not possible to gain access to e-services, give a digital signature, or to perform different financial transactions (incl. bank transfers, purchase and sales transactions, notarial transactions, etc.) using a document photo, personal identification code, or name,” RIA Director General Margus Noormaa added.

“People whose document photos have been stolen need not apply for a new physical or digital document (passport, ID-card, residence permit card, mobile-ID or Smart-ID, etc.) or take a new document photo. All identity documents and photos remain valid.”

All impacted individuals to be notified via email

Although the vulnerability was introduced in the system and could’ve been exploited several years ago, current evidence doesn’t show that such an attack has happened since then.

RIA also said that the data was not transferred from the suspect’s computer after it was stolen from KMAIS, and there is no reason to believe that it was misused in any way.

All Estonian citizens who had their ID scans and personal information stolen during the incident will be notified via email by the Estonian Police and Border Guard Board.

RIA added that this incident is not connected with another breach disclosed earlier this month when the personal data of over 300,000 people was exposed on the Eesti.ee state portal’s access rights management system.