Argentina suffered one of the most catastrophic data breaches possible last week, as access to a government database containing information about each citizen’s national identity card was found for sale on the dark web.
The National Register of Persons contains images of every government-issued national ID, as well as all information printed on the card in text format for easy search. The hacker released the ID photos and personal information of 44 of the country’s celebrities as evidence of the breach, offering to search any Argentine citizen’s data for a fee.
Government database breached; not sure if data was stolen or if insider access is to blame
The Registro Nacional de las Personas (RENAPER), or National Register of Persons, is a central government database maintained by the Argentine Ministry of the Interior and widely used by various agencies across the country to research the personal information of citizens. The database contains scans of each national identity card issued, as well as text entries of the information displayed on it: full names, a photo of the face, a personal address, the national identification number used for tax and business purposes; and barcode processing used by internal systems.
The Argentine government does not believe this to be a data breach, in that strangers entered the system and exfiltrated the stored data. Rather, they believe that an Interior Ministry employee with authorized access to the government database is offering the information for sale. A press release from the agency said eight employees are under investigation for a possible role. The agency also said one of its VPN accounts was used to query the database just before photos of the research subjects were posted to Twitter by the attacker.
This theory would follow the attacker’s dark web list, which does not offer any part of the government database for sale. Instead, the list offers search services on a name-by-name basis, although it also claims it has full access to information from the country’s 45 million registered citizens. This appears to be a very laborious and risky way to make money from the breach, and could be quickly stopped by disabling the compromised credentials. The theory of an employee with access beyond a particular connection makes more sense than an outside party trying to indefinitely use a compromised VPN to perform ongoing searches for money.
For his part, the attacker claims that he is an outsider and that he has exfiltrated the entire contents of the government database. Before the attacker’s Twitter account was deleted, they released the personal information of 44 Argentine celebrities, including Lionel Messi and Sergio Aguero, as well as President Alberto Fernández. They had also claimed that they could release the information of “one to two million people” as evidence, although the account appears to have been deleted before that happened. The attacker claims to have compromised a VPN, but this was due to “reckless employees” rather than an insider threat.
Chronic problems with the cybersecurity of the Argentinian national government?
The breach follows “La Gorra Leaks” incidents that took place in 2017 and 2019, each involving government accounts and databases. The original 2017 incident saw Argentina’s security minister’s email and Twitter account violated, with the hacker posting screenshots of images and files. The incident received more coverage for the response than the breach, as security experts covering hacking and political opposition were raided just for posting about it on blogs and social media. This pattern was repeated in 2019 when an unknown hacker leaked 700 GB of information from government databases (roughly 200,000 PDF files) to dark web forums and messaging platforms. The information has embarrassed some politicians and law enforcement professionals.
The government itself has also been a source of security concerns. In 2018, the federal government and the city of Buenos Aires attempted to adopt measures allowing law enforcement to deploy malware as part of criminal investigations. The bills were widely criticized for their lack of basic privacy and security protections and were ultimately scrapped.
Tony Pepper, CEO of Egress, weighed in on the risk Argentinean citizens face if their national ID cards are freely available on the dark web for anyone willing to pay: “With the data of millions of people at risk, Argentinian citizens are now prime targets for tracking attacks, such as financial fraud, sophisticated phishing attempts and identity theft scams, aimed at stealing other personal data, identities and even their money.
A number of other security experts have weighed in on what needs to change to protect these extremely sensitive government databases. According to Saryu Nayyar, CEO of Gurucul: “It demonstrates the need for all organizations to use analytics and machine learning to find and report unusual activity on the network. It is very unlikely that a legitimate employee will need to download all the recordings. A good analysis solution would have used real-time data to quickly identify this anomaly, which would have allowed it to be remedied before the download was complete.
And Rajiv Pimplaskar, CRO at Veridium, sees biometrics as the answer: “National ID systems should move away from knowledge-based authentication (KBA) such as PIN code or passwords and adopt biometric modalities such as face and fingerprints. Biometrics reduce the risk envelope of ID theft and lateral movement that can proliferate data breaches. Several contactless biometric solutions are available to be accessed through consumer smartphones that can enable a variety of remote enrollment and verification use cases. These modalities should be device independent in order to provide consistent access and user experience to all citizens, regardless of the make and model of their mobile phone.