Georgian Population Allegedly Exposed in a Massive Personal Data Leak
A ghost database containing millions of records on Georgian citizens has appeared in the cloud and then mysteriously disappeared, according to the cyber data leak checker Cybernews, which adds that the leak leaves sensitive personal data potentially vulnerable to malicious actors.
According to the publication, Bob Dyachenko, a cybersecurity researcher and owner of SecurityDiscovery.com, and the Cybernews research team discovered an unprotected Elasticsearch index. Elasticsearch is a platform for data analytics and search in near real-time.
“The data appears to have been collected or aggregated from multiple sources, potentially including governmental or commercial data sets and number identification services,” Dyachenko is quoted by Cybernews.
It adds that the instance was hosted on a server owned by a cloud service provider based in Germany. One of the exposed indices allegedly included nearly five million individuals’ personal data records, and another contained over seven million phone records with associated personal information. The data may have included duplicate entries and records of deceased individuals.
The sensitive personal data, according to Cybernews, included the ID numbers, full names, birthdays, genders, certificate-like numbers (potentially insurance), phone numbers with descriptive information about the owner.
No direct information identifies the entity responsible for managing the Elasticsearch index.
Shortly after the discovery of the breach the server was taken offline, with public access to the data closed.
“Threat actors can weaponize personal data for both political or criminal activities. State-sponsored hackers can exploit the leak for political manipulation, disinformation campaigns, or targeted harassment. Meanwhile, profit-seeking hackers can exploit the data for various malicious activities,” Dyachenko is quoted as saying.
The publication warns that cybercriminals may attempt to commit identity theft by impersonating individuals or using other social engineering techniques to hijack accounts and commit financial crime.
Civil.ge has contacted the Personal Data Protection Service of Georgia for comment. This news will be updated as soon as we have the Service’s response.
More to follow…
This post is also available in: ქართული (Georgian) Русский (Russian)