Argentina suffered one of the most catastrophic data breaches possible last week, as access to a government database containing national ID card information for every citizen was found for sale on the dark web.
The National Registry of Persons contains images of every national ID the government has issued, complete with all the information printed on the card in text format for easy searching. The hacker published the ID photos and personal information of 44 of the country’s celebrities as proof of the breach, offering to look up the data of any citizen of Argentina for a fee.
Government database breached; unclear if data was stolen, or if insider access is to blame
The Registro Nacional de las Personas (RENAPER), or the National Registry of Persons, is a central government database maintained by the Argentinian Interior Ministry and used widely by the country’s various agencies to look up citizen personal information. The database contains scans of every national ID card issued, along with text entries of the information displayed on them: full names, a photo of the face, a home address, the national ID number used for tax and employment purposes, and processing bar codes used by internal systems.
The Argentinian government does not believe that this was a data breach, in the sense that outsiders penetrated the system and exfiltrated the stored data. They instead believe that an Interior Ministry employee with authorized access to the government database is offering the information for sale. A press release from the agency indicated that eight employees are being investigated for a possible role. The agency also indicated that one of its VPN accounts was used to query the database just prior to photos of the search subjects being posted on Twitter by the attacker.
This theory would track with the attacker’s dark web listing, which is not offering any portion of the government database for sale. Instead, the listing offers lookup services on a per-name basis in spite of also claiming that it has full access to the information of the country’s 45 million registered citizens. This seems a very labor-intensive and risky way of making money off of the breach, and one that could be quickly cut off by disabling the compromised credentials. The theory of an employee with access beyond one particular login makes more sense than an outside party sticking around attempting to use one compromised VPN indefinitely to do ongoing lookups for money.
For their part, the attacker claims that they are an outsider and that they have exfiltrated the entire contents of the government database. Before the attacker’s Twitter account was taken down, they posted the personal information of 44 Argentinian celebrities including Lionel Messi and Sergio Aguero as well as president Alberto Fernández. They had also claimed that they might release the information of “one to two million people” as proof, though the account appears to have been removed before this happened. The attacker claims that they did compromise a VPN, but it was due to “careless employees” rather than an inside threat.
Chronic issues with Argentina’s national government cybersecurity?
The breach follows the “La Gorra Leaks” incidents that played out in 2017 and 2019, each involving government accounts and databases. The original 2017 incident saw the email account and Twitter of the Minister of Security of Argentina breached, with the hacker publishing screenshots of images and files. The incident received more coverage for the response rather than the breach, as security experts covering the hack and political opposition were raided just for posting about it on blogs and social media. This pattern repeated in 2019 when an unknown hacker leaked 700 GB of information from government databases (some 200,000 PDF files) on dark web forums and messaging platforms. The information embarrassed some politicians and law enforcement professionals.
The government itself has also been a source of security concerns. In 2018, both the federal government and the city of Buenos Aires attempted to pass measures allowing law enforcement to deploy malware as part of criminal investigations. The bills were widely criticized for lacking basic privacy and security protections and were eventually dropped.
Tony Pepper, CEO of Egress, weighed in on the risk that citizens of Argentina face if their national IDs are freely available on the dark web to anyone willing to pay: “With the data of millions at risk, Argentinian citizens are now prime targets for follow-up attacks, such as financial fraud, sophisticated phishing attempts and impersonation scams, aimed at stealing further personal data, identities and even their money.”
A number of other security experts have weighed in on what needs to change to protect these extremely sensitive government databases. According to Saryu Nayyar, CEO of Gurucul: “This demonstrates the need for all organizations to use analytics and machine learning to look for and flag unusual activities on the network. It’s highly unlikely that a legitimate employee would have a need to download all records. A good analytics solution would have made use of real time data to quickly identified that anomaly, making it possible to remediate before the download was complete.”
And Rajiv Pimplaskar, CRO of Veridium, sees biometrics as the answer: “National ID systems should move away from Knowledge Based Authentication (KBA) such as PIN or Passwords and embrace biometric modalities like face and fingerprint. Biometrics reduce the risk envelope of credential theft and lateral movement that can proliferate data breaches. Several contactless biometric solutions are available to be accessed via consumer smartphones that can enable a variety of remote enrollment and verification use cases. Such modalities should be device independent so as to provide consistent access and user experience for all citizens regardless of make and model of their mobile phone.”