[German]We have to push ahead with digitization, they sey. We hear less about security, but they say also that data is the new oil. A hacker took this literally and penetrated the IT network of the Argentine government. He was then able to access the identity card data of the country's entire population from RENAPER (Registro Nacional de las Personas) and stole data. He is now selling the data to private circles.
The first indication that someone had penetrated RENAPER surfaced on Twitter in early October, when a newly registered (and now deleted) account called @AnibalLeaks published ID photos and personal data on 44 Argentine celebrities. This included the data of Argentine President Alberto Fernández, several journalists and political figures, and even the data of soccer superstars Lionel Messi and Sergio Aguero.
A day after the images and personal data were published on Twitter, the hacker also posted an ad on a well-known hacker forum offering to retrieve the personal data of any Argentine user, as The Record writes here. After the whole case became public, the authority in question had to admit to the hack and published some information on this page. The on text says something like this:
The National Register of Persons (Renaper) has … filed a criminal complaint with the Federal Criminal and Penitentiary Court No. 11 Secretariat No. 22, after it was found that the use of passwords granted to public institutions, in this case the Ministry of Health, leaked images belonging to personal transactions in the Renaper. The agency of the Ministry of Interior confirmed that it was a case of misuse or theft of the user password and that the database was not damaged or leaked in any way.
On Saturday, Oct. 9, it came to Renaper's attention that a Twitter user identifying himself as @aniballeaks – an account that was reported and is now suspended – had posted images of 44 people on the social network. These included images of public officials and commonly known public figures.
Renaper's IT security team, which confirmed the incident, consulted with the 44 individuals involved to verify recent use of the digital identity system (SID) on those profiles. It found that 19 images had been accessed through an authorized virtual private network (VPN) connection between Renaper and the National Ministry of Health at the exact time they were published on the Twitter social network, and that all of the images had been recently accessed through the same connection.
This connection would have made several individual queries to the Renaper databases between 3:01 p.m. and 3:55 p.m. using the SID data validation service, which, after querying the person's DNI and gender, returned all the data printed on the ID card, including image and other personal data, to the querying person, which was then immediately uploaded to the Twitter social network without the holder's consent.
After this preliminary analysis, the specialists confirmed, an unauthorized intrusion into the systems or a massive leak of the agency's data could be ruled out.
Sounds like someone captured a password and access name from the Ministry of Health, through which they could query the Renapen database. The access does not seem to have been secured that well. Passport and registration data must be accessible from different places. However, it seems that the person in question continues to have access to the Renaper database and continues to query data. Further details can be found at The Register.
Just over a year ago, in September 2020, I had already reported in the German blog post Ransomware-Angriff auf Argentiniens Einwanderungsbehörde, deutsche Passdaten im Netz, that at the immigration authority a ransomware had siphoned off all passport data from entries and exits. We will have to get used to such cases happening several times a day in the future.