A database of more than 20 million Russian tax records was found on an unsecured server, accessible to anyone with a web browser. The unprotected Elasticsearch cluster contained personally identifiable information on Russian citizens spanning from 2009 to 2016.
Comparitech partnered with security researcher Bob Diachenko to investigate the data exposure, which included sensitive personal and tax information. The database was taken offline after Diachenko notified the owner, who is based in Ukraine.
Timeline of the data exposure
The Amazon Web Services Elasticsearch cluster was publicly available and could be accessed without a password or any other authentication. Here’s a breakdown of what happened:
- May 2018 – The Elasticsearch database was first indexed by search engines.
- September 17, 2019 – Diachenko discovered the exposed database and took steps to alert the owner.
- September 20, 2019 – The database is no longer publicly accessible.
We cannot determine whether anyone else accessed the data while it was exposed. The owner, who we only know is based in Ukraine, did not respond to our emails.
What information was exposed?
The cluster contained multiple databases. Some seemed to contain mostly random and publicly sourced data.
Two databases, however, included tax and personally identifiable information about Russian citizens. Most of those citizens appear to be from Moscow and the surrounding area.
The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over 6 million from 2009 to 2015.
Those records included information such as:
- Full name
- Residency status
- Passport number
- Phone number
- Tax ID number
- Employer name and phone number
- Tax amount
None of the data was encrypted, and it sat exposed for more than a year.
Upon finding the data, we immediately took steps to notify the owner. We could only determine that the owner is in Ukraine and know little more about the party responsible.
Dangers of exposed data
Affected individuals could be at risk of identity theft and should monitor their accounts closely. Tax fraud could also be a risk, though our team is not well-versed enough on the topic of the Russian tax system to give concrete advice.
Potential victims should also be on the lookout for targeted phishing and other scams. Fraudsters could pose as tax officials, for example, to steal money or request additional information to aid in identity theft.
How and why we discovered this breach
Comparitech’s security research team searches the internet for misconfigured databases left vulnerable to unauthorized users. Whenever possible, we alert the organizations responsible for the data to minimize harm to end users and make the internet a safer place.
Bob Diachenko leads the effort with his deep knowledge and extensive experience in cybersecurity. After he discovers exposed data, he immediately attempts to identify and alert the owner so they may secure or remove it.
Our team then investigates the nature of the exposed data and who it involves. We report our findings here to raise awareness among those affected in the hope that they will take the necessary steps to protect themselves. We aim to mitigate malicious access to personal information and curb the harm that can result from exposed data.
- 700,000 customer records for major hotel franchisor Choice Hotels
- 7 million records of K-12 students
- 188 million personal data records from people search sites
- 300,000 records belonging to cryptocurrency exchange QuickBit
- 5 million personal records belonging to MedicareSupplement.com
- 3 million records exposed by grocery rebate app SavingStar