The most recent hacking incident resulted in the hacker obtaining circa 300,000 document photos following an attack on the state information system. The suspect is reportedly a resident of Tallinn. As has become customary since the first cyberattacks on e-Estonia in 2007, the government has reacted in a very transparent manner.
The culprit managed to obtain the photos through a security vulnerability in the State portal eesti.ee, by forging digital certificates and using thousands of IP addresses in order to evade detection. To do this, the suspect had aggregated a database with hundreds of thousands of names and ID codes beforehand. This data was not, however, enough for the hacker to access e-state services, meaning the normal means of authentication (ID card, mobile ID, and Smart-ID) were not compromised.
The hacker also did not get full access to the database but requested each photo individually through a vulnerable service in the State portal – owned by the Information System Authority (RIA) – as if he were an authenticated user attempting to view their own photo. As of now, there is no evidence that the data has been uploaded elsewhere. Also, there is no evidence that the vulnerability had been exploited prior to this particular incident in July.
No risk of further dissemination
It was the swift cooperation between RIA and the Police and Border Guard Board that allowed the identification of illegal downloading of data and its possible further misuse was prevented by shutting down the system with a security weakness and identifying and apprehending the suspect. All people affected were notified, and, according to the authorities may even ask for compensation.
Although RIA clarified the issue further by stating: “In this case, the attacker’s activity has been stopped, the security vulnerability in the system has been fixed, the attacker’s identity has been identified and the RIA has apologized to the persons affected by the data theft. In addition, the data did not pass from the attacker’s computer and thus there is no risk of further dissemination of the data. Therefore, in the opinion of the RIA, there is no reason to award financial compensation for non-pecuniary damage.”
A GDPR violation?
There are claims in social media that a group of people has initiated a process of GDPR violation against the Estonian state.
“This is quite significant,” comments Lauri Almann, the co-founder of cybersecurity company CybExer Technologies – their cyber ranges and training are used by several governments and corporations – and a former state official (having served as the secretary-general of the Estonian Ministry of Defence during the infamous 2007 cyberattacks against Estonia that resulted in the formal establishment of the NATO Cooperative Cyber Defence Centre of Excellence). “This data for sure is eligible for GDPR protection. What makes this breach unique is the fact that the culprit in the situation is the government and the central agency that manages the governmental e-services. It is, however, laudable that the head of that agency has been extremely transparent about the incident as it is common in those cases in Estonia.”
In Almann’s opinion, it is laudable to see that the agency has put the issue of trust of the population at the forefront. They have been extremely frank and open. Among the communication, the government has also stated that they are looking at the issue of liability, including the potential liability to people whose data was leaked. And they are open to discuss individual compensation as well. From a GDPR point of view this will definitely be a landmark case in the country and hopefully will be emblematic of the importance of protection of private data that governments all across the EU hold very-very dear.”
No small matter
Lauri Almann says that any incident of that size – a theft of 300,000 identity photos – is not a small matter. “In particular in the age where visual identity is making important strides and when these faces can be matched with names, birthdays, and personal identity codes. We should treat events like this extremely carefully and we should not even try to mitigate the significance of this. I for one can find multiple scenarios where this kind of database would fetch a handsome price in the black market. Likewise, I can see multiple uses for this kind of database in adversary government agencies.”
Estonia is one of the leading digital nations = continuously tested by hackers
“Information security experts regularly identify vulnerabilities in the systems through monitoring. Attempts to manipulate and hack into systems are countered on a daily basis,” is RIA’s official comment on the matter.
Some foreign outlets even stressed “Estonia’s electronic ID system was hacked last week. Again.”
Estonia is one of the world’s leading digital nations and has an impressive 20-year e-state legacy. It is understandable that not all systems can be closed down and written (coded) from scratch from one day to another. Therefore, cybersecurity vulnerabilities persist due to outdated systems that require constant attention and dedication of resources. Cybercrime itself is on the rise globally and is considered to be one of the most lucrative types of crime. To illustrate it further – Estonia’s systems are attacked being probed constantly, and CERT-EE combats these attacks daily.
A clear attack on the Estonian state
The Estonian state takes the latest incident seriously and is working to enhance its defence capabilities and cybersecurity. In fact, Andres Sutt, the IT, and foreign trade minister called the incident a clear attack on the Estonian state.
Sutt said: “Cybercrime is clearly on the rise, and that means we need to constantly invest in cybersecurity at both public and private levels. I will be speeding up the replacement of some older, legacy data systems and solutions.”
A wake-up call across Europe
“The head of the agency where the leak happened (RIA) has confirmed that the service in question went through a government-ordered penetration testing by a private contractor – they have also admitted that there was a human error during that test,” comments Lauri Almann. “We should use this opportunity to hold a discussion and brainstorm how we can improve the ways we carry out our penetration testing of e-services, how do we create an environment that encourages this type of hacker mindset – use of different techniques and approaches. Sometimes the critique has been that the approach to penetration testing has been too formal, reliant on formal certifications. This event probably is a wake-up call – not only in Estonia but across Europe – to take a hard look at how governmental agencies carry out penetration test activities, how to have a conversation and dialogue with the private sector to apply out-of-the-box novel solutions to further increase our cybersecurity. The easiest and quickest fix would be to have two penetration-testing companies testing the services in a competitive environment – what we need to ensure is that we always have a fresh pair of eyes on our critical systems. This does not exist today. This is bad practice.”
Countries and cities paying to be hacked
Almann also gives examples of governments taking the right steps towards cybercrime – the UAE government has initiated a governmental bounty project, and the city of Hague has initiated a hack the city day.
Alongside formal penetration testing policies in public procurement, CERT-EE is working around the clock with the Estonian cybersecurity community (working both in public and private institutions) to coordinate information regarding the discovery and mitigation of security vulnerabilities in Estonian digital services. For example, a recent bug in the Entrepreneur view of the State portal was discovered and disclosed to CERT-EE by an outside party and was fixed before it could be exploited by malicious actors.
Be open and fill the (cyber skills) gap
To conclude – cyber incidents will not be going anywhere anytime soon. They will only be increasing. And governments need to be constantly outsmarting the hackers. Being open about incidents is always a good idea and this is what Estonia has been doing well. Since 2018, the government has also held Advanced Digital and Cyber Defence courses – organized in collaboration by the International Center for Defence Studies in cooperation with the Ministry of Economic Affairs and Communications, NATO CCDCOE, and the State Information System Agency. The trainees are opinion leaders and shapers of the Estonian press, politics, business, and other areas of life.
✈️ Can’t travel but want to go more in-depth with the Estonian experience and players in cybersecurity? Take a look at the e-Estonia Digital Discussion or get in touch – we’ve got you covered!
communications manager at the e-estonia briefing centre