Saturday, February 20, 2010

Cyberactivists obtain Latvian State Revenue Service data

A purported group of cyberactivists has obtained around 7.4 million records from a database linked to the web-based service for filing income tax returns and other information with Latvia's State Revenue Service (Valsts Ieņēmuma dienests/VID). According to Latvian Television's investigative program DeFacto, at least 1000 state and municipal agencies and companies had their data copied, including the Postal Service
The leak or defect in the Electronic Declaration System (EDS) had been present for several months, allowing the cyberactivists, who call themselves the Fourth Awakening People's Army (Ceturtās Atmodas Tautas Armija/4.ATA). The name refers to times in Latvian history when there were historic changes in Latvia's national consciousness, the first "Atmoda" being the formation of a national awareness in the 1850s, followed by more radical social and political movements in the late 1800s, the founding of the first independent Latvian state in 1918, and the movement to regain independence starting in the late 1980s. More information here.
According to 4.ATA spokesperson Neo, who has electronically chatted with some journalists and recently opened a Twitter account, the group hopes to expose government waste, unjust wage differentials and possible corruption by analyzing data filed by state agencies and public sector. It has already published, using online file storage and sharing sites, a sanitized list of salaries and other remuneration for what is said to be the Riga public transport agency Rīgas Satiksme(RS).
Public transport costs have risen recently and the transport company has announced it wants to limit the number of trips that can be made on a full-price "unlimited" monthly ticket. This has caused public outrage. The figures seem to indicated that top management of RS make four-figure salaries with some, apparently retiring or dismissed board members, getting one-off compensation payments of LVL 25 000 (USD 50 000).
Neo also announced that data from the Riga District Heating company Rīgas Siltums would soon be released.
The leaks from the Revenue Service had caused a public uproar with all parties -- the Revenue Service, the designers of the EDS system, data security auditors and others blaming each other. Apparently several audits and tests of the system, which was designed and implemented by Exigen Services failed to notice the defect that allowed copying of the EDS data base with very simple methods.
Apparently, the site did not need to be "hacked", leading to a bizarre excuse by the Revenue Service that what happened was not a "cybercrime" as defined by existing protocol, therefore it did not officially call Latvia's Computer Security Incidents Response Unit (Datoru drošības incidentu reaģēšanas vienība), but did make an anonymous phone call to the agency, only to be told to call the police.
According to this blogger's sources, VID was warned of generally poor data security practices at the agency, but top management never coped with the issue, saying it was a matter for " the IT department". The agency is also said to keep its back-up data base in the same building as its main servers, though, when asked, it said, in general terms, that its IT resources were " dispersed". According to one source, the main server room of the Revenue Service is near the entrance to its offices and more exposed to intrusion than if it were at the end of a back-hallway.
IT security circles in Latvia hope this will be the cyber-security "killer incident" that will finally raise awareness of the need to make security policy an executive level concern. At the same time, it appears that the already compromised data will be used by 4.ATA to discredit the political and economic elite in Latvia during an election year.
4.ATA say they are based in Britain and Ireland and thereby harder for Latvian authorities to pinpoint and capture, if located.

1 comment:

Anonymous said...

Sveiks, Juri!
Saki, vai šim varētu būt jelkāds sakars ar realitāti?

Visu jauku!
(kāds latviešu students; tikāmies reiz uz prāmja Baltijas jūrā 90-to sākumā; respektēju Tevi toreiz un vēl aizvien)