Last week, Argentina suffered what may be one of the most catastrophic data breaches after access to a government database containing the national identity card information of every citizen of Argentina was found for sale on the dark web.
The National Registry of Persons contains an image of every national ID card issued by the government, as well as all the information printed on the card in text format for easy searching. The hackers published the photo IDs and personal information of 44 of the country's celebrities as proof of the intrusion and offered to search the data of any Argentine citizen for a fee.
Government database compromised; unclear if data was stolen, or if internal access is to blame
The Registro Nacional de las Personas (RENAPER), or National Registry of Persons, is a central government database maintained by the Argentine Ministry of the Interior and widely used by agencies in the country to look up personal information about citizens. The database contains scanned copies of each issued national ID card, as well as text entries of the information displayed on it: full name, face photo, home address, national ID number for tax and employment purposes, and the processing barcode used by internal systems.
The Argentine government does not consider this to be a data breach in the sense that an outsider broke into the system and compromised the stored data. Instead, they believe that employees of the Ministry of the Interior who have access to government databases are offering the information for sale. An agency press release noted that eight employees are being investigated for their possible roles. The agency also said that a VPN account at the agency was used to query the database just before the attackers posted photos of the search subjects on Twitter.
This theory fits with the attacker's dark web listing, which did not offer any portion of the government database for sale. Instead, the site offers queries on a per-name basis, although it also claims to have full access to information on the country's 45 million registered citizens. This appears to be a very labor-intensive and risky way to make money from a breach, and can be quickly cut off by disabling compromised credentials. The theory that an employee has a specific login privilege makes more sense than an outside party insisting on trying to make money indefinitely by using a compromised VPN to do ongoing queries.
For their part, the attackers claimed they were outsiders who had compromised the entire contents of the government database. Before the attackers' Twitter account was shut down, they posted the personal information of 44 Argentine celebrities, including Lionel Messi and Sergio Aguero, as well as President Alberto Fernandez. They also claimed they may have posted information on "one to two million people" as evidence, although the account appears to have been deleted before then. The attackers claim they did compromise the VPN, but that this was due to a "careless employee" rather than an insider threat.
The attackers claimed that they were outsiders who had infiltrated the entire contents of the government database. Before the attackers' Twitter account was shut down, they posted the personal information of 44 Argentine celebrities, including Lionel Messi and Sergio Aguero, as well as President Alberto Fernandez. They also claimed they may have posted information on "one to two million people" as evidence, although the account appears to have been deleted before then. The attackers claim they did compromise the VPN, but that this was due to "careless employees" rather than an insider threat.
A long-standing problem with Argentina's national government cybersecurity?
This breach follows the "La Gorra Leaks" incidents in 2017 and 2019, each involving government accounts and databases. The initial 2017 incident was an attack on the email account and Twitter feed of Argentina's security minister, where hackers posted screenshots of images and documents. The incident received more coverage for its response rather than for its vulnerability, as security experts reporting on the hack and political opposition were raided simply for posting information about it on blogs and social media. This situation repeated itself in 2019, when an unknown hacker leaked 700GB of government database information (about 200,000 PDF files) on dark web forums and messaging platforms that embarrassed some politicians and law enforcement professionals.
The government itself is also a source of security concerns. in 2018, both the federal government and the city of Buenos Aires attempted to pass measures that would allow law enforcement to deploy malware as part of criminal investigations. These bills were widely criticized for lacking basic privacy and security protections and were ultimately abandoned.
Tony Pepper, CEO of Egress, commented on the risk to Argentine citizens if their national ID cards are freely available on the dark web to anyone willing to pay: "With millions of people's data at risk, Argentine citizens are now prime targets for follow-on attacks such as financial fraud, sophisticated phishing attempts and impostor scams designed to further steal personal data, identities and even their money."
A number of other security experts have also weighed in on the changes needed to protect these extremely sensitive government databases. According to Saryu Nayyar, CEO of Gurucul, "This shows the need for all organizations to use analytics and machine learning to find and flag unusual activity on the network. It is highly unlikely that legitimate employees will need to download all records. A good analytics solution should use real-time data to quickly identify anomalies so they can be fixed before the download is complete."
The Argentine government does not believe this was a #databreach, where hackers infiltrated the system and hauled in its stored user data. Instead, they believe it was the work of an Interior Ministry employee who had authorized access to the system.
And Veridium's CRO Rajiv Pimplaskar believes biometrics is the answer. A national identification system should be based on knowledge-based authentication (KBA), such as a PIN or password, and accept biometric modalities, such as facial and fingerprints. Biometrics reduce the risk of credential theft and lateral movement, which can lead to the proliferation of data breaches. Some contactless biometric solutions can be accessed through the consumer's smartphone and can enable a variety of remote enrollment and authentication use cases. This approach should be device-independent in order to provide consistent access and user experience for all citizens, regardless of the make and model of their phone."