Further explanation of the Information System Authority (RIA) on data theft
People whose document photo was illegally downloaded do not have to get a new document or a new photo. The incident has no impact on ID-cards, Mobile-ID, Smart-ID or e-services.
RIA together with the Police and Border Guard Board sent a notice to the email addresses of the people whose document photo was illegally downloaded through the state portal eesti.ee. Many of the people who have received the notice are justifiably worried and have asked whether and how the theft of their data affects them, what they can do to protect themselves, and whether they themselves have done anything wrong. The situation is understandably unusual, it raises questions and confusion.
‘I assure you that none of the people whose photos were illegally downloaded have done anything wrong. The data theft was made possible by the skilful actions of the attacker and a security flaw in one of the old services of the Information System Authority (RIA). We fixed the security flaw in the system and stopped the attacker’s activities as soon as the incident was discovered. We have also proactively checked other similar services. In addition, we have the knowledge that this data has not been forwarded to another location, meaning that they did not get beyond the computer of the person who downloaded the data. We understand that damage has been done and we do not want to forgo responsibility. By responsibility, I mean that we will put things right and improve them so that attacks of this kind would not be possible in the future. I apologise to everyone that there was a security flaw of this kind in our service and that we were unable to detect it earlier,” said Margus Noormaa, Director General of RIA.
The illegal downloading of a document photo has no impact on ID-cards, Mobile-ID, or Smart-ID. All digital services provided by the state will continue to function without issues and the services remain reliable as a person’s photo, personal identification code, or name cannot be used to enter e-services, provide a digital signature, or perform financial transactions (incl. bank transfer, notarial transactions, etc.). People whose picture with their name and personal identification code was in the possession of the suspect will not need to apply for a new document or have a new photo taken. All identity documents and photos remain valid.
The preliminary assessment of the police indicates that the data obtained in the described manner has not been forwarded or misused. If a person suspects that their data have been misused, they should report this to the police.
Press-release, 28 July 2021: The Police and Border Guard Board and the Information System Authority stopped the illegal downloading of data
Was my data stolen?
All those whose document photo with their personal identification code and name was stolen will receive a notification to their email address to which they have directed notifications sent by the state. The data set that fell into the hands of the criminal includes a document photo, first name and surname, and the personal identification code of a person.
How can I be sure that my photo was not downloaded if I did not receive a notification from the Police and Border Guard Board?
The Police and Border Guard Board sent through the state portal eesti.ee a notice to the email addresses of the people whose document photo was illegally downloaded. If your @eesti.ee address has not been redirected or if you no longer use the email address to which your @eesti.ee messages are directed, you can log in to the state portal eesti.ee and view the mailbox, where the messages are stored.
How do I know if the attacker also stole document photos of my minor children?
We sent a notice to the email addresses of all those whose document photo was illegally downloaded, including minors, through the state portal eesti.ee. This means that you can see if the child has received this notification by logging into the state portal with the child’s account.
My children’s eesti.ee addresses are also redirected to my email address. How can I find out whose document photo was stolen?
The personal identification code in the recipient field of the email indicates to whom the email was forwarded. The email was sent to the personalidentificationcode [at] eesti.ee address of the person whose document photo was stolen.
What should I do if it turns out that my data has been stolen?
There is nothing you need to do. Based on the current information, we know that the data was not transmitted further from the suspect’s computer. Therefore, there is reason to believe that the data have not been misused more.
However, if the data was transmitted, it is important to consider the possibility that the combination of a picture, name, and personal identification code can only be used to create a rudimentary fake document (without security features). It is possible that such a document could be used for some services which identify people using a photo (e.g. vehicle and/or bike rent). Such services are used more abroad. It is also possible to create fake social media accounts, for example. Note! If you suspect that someone has used your data in any one of these ways, report this to the police.
It is important to remember that the theft of this data has no impact on ID-cards, Mobile-ID, or Smart-ID. All identity documents will also be valid, including the documents, the document photos of which were illegally downloaded. It is not possible to gain access to e-services, give a digital signature, or to perform different financial transactions (incl. bank transfers, purchase and sales transactions, notarial transactions, etc.) using a document photo, personal identification code, or name. People whose document photos have been stolen need not apply for a new physical or digital document (passport, ID-card, residence permit card, mobile-ID or Smart-ID, etc.) or take a new document photo. All identity documents and photos remain valid.
How did the criminal gain access to my data (photo, personal identification code, and name)?
In order to download document photos, the criminal needed to know the person’s name and personal identification code. Although this is public data, i.e. available from various public databases, the exact origin of the data and the motives of the criminal need to be established by the investigation. With the help of the people’s names and personal identification codes, the criminal managed to forge the person’s certificate so that the system thought that the person, instead of the criminal, was the one who wanted to download the photo. RIA identified and corrected the system error. Such manipulation is no longer possible.
Where did the attacker get my name and personal identification code from?
The attacker had to have known a person’s name and personal identification code to make the system think that the person was trying to download their own photo. The origin of the data (name and personal identification code) in the attacker’s possession will be established by a criminal investigation. The name and personal identification code of a person are regular, not special categories of personal data, and are publicly available upon a query from various databases (e.g. commercial register, land register, etc.).
Who and for what reason wanted my data?
The police have arrested an Estonian citizen whose computer was used to commit the theft. The questions of whether the person acted alone, what was the person’s aim, and what did the person want to do with the data remain to be clarified by a criminal investigation.
Why did the attacker need the photos? What kind of fraud is possible with this kind of a data set?
The motives of the attacker will be established by a criminal investigation.
Photos, names, and personal identification codes can, of course, be used to create some rudimentary forged document without security features, but this is also possible with any kind of a photo. It is not possible to gain access to Estonia’s e-services, give a digital signature, or to perform different financial transactions (incl. bank transfers, purchase and sales transactions, notarial transactions, etc.) using a document photo, personal identification code, or name.
There are services that identify a person by their picture (e.g., some car and bicycle rental services), but these services also compare the person’s own facial image with that of their document photo, not the photo that is in the database. Therefore, even in this case, it is rather unlikely that the stolen document photo would be used in an attempted fraud. But if you suspect that someone has used your data in any one of these ways, be sure to report this to the police.
Document photo theft has no impact on ID-cards, Mobile-ID, or Smart-ID. All identity documents will also be valid, including the documents, the document photos of which were illegally downloaded.
Has anyone else stolen the data of Estonian people in this way because of a system flaw?
According to the information we currently have, we have no reason to believe that something similar would have been done before, but we are checking this information.
How long did this flawed system function before the discovery of the flaw?
Although this solution was created with this flaw several years ago, current monitoring and information gives no reason to believe that such an attack against the system would have succeeded in the past.
Will the state reimburse the replacement of my document if I get a new identity document?
There is no need to replace your documents because of this data theft and therefore, the state will not cover the issuance of new documents. If a person does wish to replace their documents, they have the option to request a new document from the Police and Border Guard Board by paying for the document themselves.
Even if the attacker had transmitted the stolen data to someone else before being arrested, there would still be no need to replace documents because of it, as the data (document photo, name and personal identification code) obtained by the attacker cannot be used to access any e-service provided by the state or the bank and it is also not possible to perform notarial or other financial transactions.
How can I know what data the state has about me?
The state does not have one great database that would include all the data of all the citizens. Each authority only has the citizens’ data that is necessary for its work (e.g. identity documents database for the police, employment register for the Tax and Customs Board, etc.).
If a citizen wants to know what data the state has about them, it is necessary to contact the specific authority separately and ask them which data of theirs the authority processes. It is also possible to use the data tracker application of the state portal to see who has requested your data from various databases.
This so-called data separation principle is followed for security reasons. This way, in the event of a security flaw or some other incident, it is not possible to access all the data at once. It is because of such a system that in this case of data theft, the attacker was only able to get hold of document photos but no other (and more sensitive) document data.
How will it be ensured that data is securely retained in the future?
Owners and responsible persons of all databases are working every day to make their systems increasingly secure. The personal data of the Estonian people is scattered around in different databases so that any potential attacker could not gain access to all the data at the same time. Accessing the data leaves behind digital footprints. These footprints can, in turn, be used to detect violations.
Do I have to report the crime to the police?
People whose photo was illegally downloaded from the database do not need to report it to the police. The police initiated criminal proceedings immediately after the incident was discovered to establish the circumstances of the illegal downloading of document photos.
If you suspect that someone has misused your data in any way – e.g., created a fake document using your picture, name, and personal identification code, created a fake social media account, or stolen your identity in any other way in connection to the downloading of the document photo – be sure to report this to the police ». If identity theft has taken place in another state, a report must be filed with the police in that state. Based on the current information, the police have no reason to believe that the suspect had used or transmitted the downloaded data maliciously. A separate notice will be issued if the police establish during the proceedings that the data was transmitted.
How can the state help me if it turns out that my document photo has been used in an attempted fraud?
In the case of attempted fraud, each case needs to be dealt with individually. Identity theft is a criminal offence and if there is a suspicion of data theft, a report must be filed with the police ». If identity theft has taken place in another state, a report must be filed with the police in that state.
Why is the attacker not in custody?
The police and the prosecutor’s office decide on taking people into custody in accordance with the law. Based on the information collected by the police, the person acted alone and there was no sign during the search that the person would start absconding from further investigation. The prosecutor’s office decided that it was not necessary to keep the person in custody.
Who is responsible for this situation?
The attacker was able to access the photos because of a security flaw in the service managed by the Information System Authority (RIA). We apologise for this. Security vulnerabilities are constantly being identified and addressed. Thanks to the principle of collecting Estonian peoples’ data in a dispersed manner, the attacker was unable to gain access to all document data, instead only being able to get access to document photos. While the security flaw was in the service managed by RIA, the attacker is responsible for having exploited it and committing data theft.
Can I claim compensation for damage from the Information System Authority?
A prerequisite for claiming compensation for damage is that the person has suffered damage. The injured party must be able to prove the occurrence of the damage. In addition, the damage must have been caused directly as a result of an unlawful act or omission attributable to the Information System Authority. A person may also claim compensation for damage if damage could not be prevented and cannot be eliminated by the protection or restoration of rights. In this case, the attacker’s activity has been stopped, the security vulnerability in the system has been fixed, the attacker has been identified and RIA has apologised to the persons who were affected by the data theft. The data was not transmitted further from the attacker’s computer; therefore, there is no risk of further dissemination of the data. Hence, in the opinion of the Information System Authority, there is no reason to pay financial compensation for non-patrimonial damage.
However, if you find that the Information System Authority has unlawfully caused you patrimonial damage or that the non-patrimonial damage threshold is exceeded to justify a financial compensation, you have the right to submit an application for compensation to the Information System Authority at the email address help [at] ria.ee or file a complaint with a court.
If you did not find the answer to your question, contact us via email at help [at] ria.ee.
More news on the same subject
The Police and Border Guard Board and the Information System Authority stopped the illegal downloading of data
28.7.2021 – Experts of the Information System Authority (RIA) have stopped the mass downloading of document photos from the identity documents database. The downloading was made possible via a security vulnerability in the photo transfer service managed by RIA. The police have detained a suspect and initiated criminal proceedings to establish the circumstances of the incident.
20.7.2021 – Ransomware attacks continue. Cybersecurity of the service provider is also your risk. Elections are not the place for experimenting with facial recognition. A Joint Cyber Unit for Europe?