Language switcher

You are here

Data on more than 300,000 people were available on the state portal

On 9 July, the Information System Authority closed the database on the state portal eesti.ee in a self-service environment for entrepreneurs which contained the first and last names, personal identification codes, places of work and, in some cases, links to previous positions of 336,733 people. The database was only accessible to people whose data were in the database.

The database, together with personal data, was visible to those company representatives who had logged in to the self-service and made inquiries in the access rights management system there. The self-service environment is a system for authorised persenvironmentons of an agency or company where you can assign roles to your employees and provide access to various services.

The data in the database is based on the commercial register where it is updated periodically. The Information System Authority has no information on whether anyone had saved the data and how. The access to the data was discovered by an attentive user of the portal.

‘This function was created about ten years ago, and it gave representatives of agencies and companies the right to manage the access rights of their employees. The system was originally designed so that the data of authorised persons were also visible to other authorised persons because at that time, the public view and approach to data protection and privacy was different to what it is today. However, the reasons why the environment was not updated and which processes need critical attention in order to prevent similar things from happening again in the future will be determined by the internal control procedure. We also reported the incident to the Data Protection Inspectorate,’ said Margus Arm, Director of the Information System Authority.

Due to the partial closure of the access rights application of the self-service environment, the authorised representatives of companies must contact the helpdesk of the Information System Authority at help[@]ria.ee in order to change the roles of their employees and grant access in information systems outside the state portal. Entrepreneurs can still manage the rights of services located on eesti.ee. This means that if the client wishes to give its accountant the right to draw up a certificate of incapacity for work (a service on eesti.ee), they can do so in the old way, i.e. without writing to the helpdesk of the Information System Authority (help[@]ria.ee). However, if they wish to give their employee the right to use the service of the information system outside the state portal, they must write to the helpdesk (help[@]ria.ee).

In the first half of 2021, the self-service environment was used about 120 times a month. After closing the environment, the helpdesk of the Information System Authority has been contacted 2–3 times a day on average to change the access rights. ‘We are monitoring the situation. If the volumes increase or some time-critical processes appear, we will introduce other solutions,’ said Arm.

More news on the same subject

31.03.2021

The Information System Authority forwarded the State Portal mailboxes

31.03.2021 – The Information System Authority (RIA) forwarded the mailbox of the eesti.ee state portal to the e-mail addresses in the population register, as a result of which, almost 1.3 million mailboxes have now been forwarded.

18.03.2021

The state will link a person’s eesti.ee mailbox with their contact information in the population register

18.03.2021 – The government approved the proposal of the Minister of Enterprise and Information Technology Andres Sutt to amend the regulation of the Estonian information portal eesti.ee so that from now on, notifications could be sent to people via eesti.ee to the email addresses and telephone numbers specified in the population register as official contact information.