Language switcher

You are here

Data on more than 300,000 people were available on the state portal

On 9 July, the Information System Authority closed the database on the state portal eesti.ee in a self-service environment for entrepreneurs which contained the first and last names, personal identification codes, places of work and, in some cases, links to previous positions of 336,733 people. The database was only accessible to people whose data were in the database.

The database, together with personal data, was visible to those company representatives who had logged in to the self-service and made inquiries in the access rights management system there. The self-service environment is a system for authorised persenvironmentons of an agency or company where you can assign roles to your employees and provide access to various services.

The data in the database is based on the commercial register where it is updated periodically. The Information System Authority has no information on whether anyone had saved the data and how. The access to the data was discovered by an attentive user of the portal.

‘This function was created about ten years ago, and it gave representatives of agencies and companies the right to manage the access rights of their employees. The system was originally designed so that the data of authorised persons were also visible to other authorised persons because at that time, the public view and approach to data protection and privacy was different to what it is today. However, the reasons why the environment was not updated and which processes need critical attention in order to prevent similar things from happening again in the future will be determined by the internal control procedure. We also reported the incident to the Data Protection Inspectorate,’ said Margus Arm, Director of the Information System Authority.

Due to the partial closure of the access rights application of the self-service environment, the authorised representatives of companies must contact the helpdesk of the Information System Authority at help[@]ria.ee in order to change the roles of their employees and grant access in information systems outside the state portal. Entrepreneurs can still manage the rights of services located on eesti.ee. This means that if the client wishes to give its accountant the right to draw up a certificate of incapacity for work (a service on eesti.ee), they can do so in the old way, i.e. without writing to the helpdesk of the Information System Authority (help[@]ria.ee). However, if they wish to give their employee the right to use the service of the information system outside the state portal, they must write to the helpdesk (help[@]ria.ee).

In the first half of 2021, the self-service environment was used about 120 times a month. After closing the environment, the helpdesk of the Information System Authority has been contacted 2–3 times a day on average to change the access rights. ‘We are monitoring the situation. If the volumes increase or some time-critical processes appear, we will introduce other solutions,’ said Arm.

More news on the same subject

02.02.2022

State portal invites everyone to be in contact with the country

2.2.2022 – In January, the Information System Authority (RIA) launched a campaign to introduce the updated state portal www.eesti.ee and to invite everyone to check if their state mailbox forwards the letters and notifications to the daily used e-mail address.

03.01.2022

RIA’s phone numbers for customer support and for reporting failures in the state network will change on 3 January

As of today, users of the services of the Information System Authority (RIA) can call 666 8888 for support, while 663 0299 may be dialled around the clock to report failures in the state network.