A Tallinn man was arrested in Estonia under suspicion that he has exploited a government photo transfer service vulnerability to download ID scans of 286,438 Estonians from the Identity Documents Database (KMAIS).
The hacker was arrested on July 23, following a joint investigation by Cybercrime Bureau of the National Criminal Police and RIA that started after RIA was alerted of a higher than the usual number of queries.
According to Oskar Gross, head of the police’s cybercrime unit, during the searches, investigators found the downloaded photos from a database in the person’s possession, along with the names and personal identification codes of the people.
The suspect downloaded the government document photos using the targets’ names and personal ID codes that are available from various public databases.
The stolen information however could not be used to perform notarial or financial transactions or gain access to state digital services by impersonating the impacted individuals.
RIA stated that the individuals whose document photos have been stolen need not apply for a new physical or digital document (passport, ID-card, residence permit card, mobile-ID or Smart-ID, etc.) or take a new document photo. All identity documents and photos remain valid.
Although the vulnerability was introduced in the system and could have been exploited several years ago, there is no evidence of such an attack that has happened before.
RIA also stated that the data was not transferred from the suspect’s computer after it was stolen from KMAIS, and that he might not have misused in any way.
All Estonian citizens who had their ID scans and personal information stolen during the incident will be notified via email by the Estonian Police and Border Guard Board.
RIA added that this incident is not connected with another breach disclosed earlier this month in which the personal data of over 300,000 people was exposed on the Eesti.ee state portal’s access rights management system.