The data of 45 million people is at risk. If the leak of the database of the National Registry of Persons (Renaper) is confirmed, it could become the largest attack received by a public body at a global level.
The news exploded this Wednesday and revealed an even greater information security flaw than the one recorded by Migrations in August 2020, not only due to the number of potential victims, but also due to the quality of the data collected.
Renaper himself formalized a criminal complaint on Tuesday before the Federal Criminal and Correctional Court No. 11 after detecting that, through the use of passwords granted to public bodies, in this case the Ministry of Health, images were leaked that gave an account of the improper access to the database.
Among this material, was the ID photo of journalists Luis Majul and Eduardo Feinmann, soccer players Lionel Messi and Sergio Agüero; and the opposition leader and former Minister of Security Patricia Bullrich.
"From the body dependent on the Ministry of the Interior, it was confirmed that it was an improper use of the user or theft of its password, and that the database did not suffer any data breach or leak," Renaper reported.
However, this brief communication is far from reassuring the experts. On Wednesday, several people reported on Twitter that their personal information would be in the hands of cybercriminals. Among them, the user @mariegok, one of the first to notice the scandal.
Tip of the iceberg
The security event is more than just the leaking of photos of celebrities, but it could affect all residents in the country who have an ID, since the body is in charge of the identification and registration of natural persons residing in Argentina.
Data leaks, the seriousness of a leak in a public bodyComputer expert Javier Smaldone, who posted on his Twitter (@mis2centavos) that his personal data was even available, assures aiProUP that Renaper has had its online database for years and provides services to third parties, such as other public agencies and companies (for example, fintech companies that do digital onboarding), but with a weak security policy.
"The problem is that there is no control over what data they can access or how much. In this case, it has apparently been a credential from the Ministry of Health and that makes all the data exposed," says Smaldone, who recalls that in In 2019, the ProcreAR site used the Renaper services and registered a bug that allowed any user to make queries as if they were Google. All without the need for hacks or great computer knowledge.
"This is happening now because someone published this data. The question is how many more times it happened or how much more will it continue to happen because they are selling this data. I don't think this will be solved in the short or medium term, since it would imply that they stop operate 44 services. The solution is going to take a long time, while we have the personal data of ourselves and our children exposed", regrets the expert.
According to Smaldone, this is a matter of substance: "Nowhere in the world is there a Renaper, in any other nation he is considered a fascist. There is no country in which there is a document with all its inhabitants and here we have him naturalized and with the fingerprint, which is taken from criminals, not from citizens. I think it is guaranteed that this will happen again. 44 photos were leaked from all political spheres. "
Implications
Lawyer Víctor Castillejos warns iProUP of the worst: "The complete Renaper database would be sold with a photo, ID addresses, dates of birth/naturalization, procedure number, etc."
"If this were confirmed, in my opinion, it would be the most serious data leak that a sovereign state has suffered in the world. The consequences for the privacy of all Argentines around the planet would be truly dramatic and the exposure could lead to hundreds of legal claims. ", complete.
For their part, Daniel Monastersky and Facundo Malaureille, general partners of datagovernancelatam.com and directors of the Diploma in Data Governance at CEMA University: "In 2018 there was a communication from the Data Protection Directorate where they recommended the notification of this type of facts so that letters are taken in the matter, regarding what data was compromised and detailing how this type of leak occurs".
This is what the European data protection regulation provides, they explain. "Although it is a recommendation and it is not enforceable, there are more technical issues related to what implications it had. Any of the victims can file a complaint and request an investigation to see if they had the basic protections to avoid these leaks," he explains. Monastersky.
Although everything exploded in the last few hours, the Renaper learned on Saturday that a Twitter user identified by the name of @aniballeaks - an account that was reported and is currently suspended - had posted on that social network the images of 44 individuals, including officials and public figures.
How to know if your data was leaked
"To find out if your data has been leaked, you can exercise your right of access to public information before Renaper to confirm if there has been any unauthorized access to your personal data," says Castillejos, who adds that this procedure can be done at the portal www.argentina.gob.ar/aaip.
In addition, he adds that in the event that the information has been leaked, a complaint must be made to the corresponding authority (police or prosecutor's office) to find out if a crime has occurred.
"In this way, you can prove later that you were diligent and made the complaint. And you can protect yourself, for example, if they take out a loan in your name with that information. It can be done directly with the Police or the Prosecutor's Office, and the facts", indicates the lawyer.
The immediate risks are varied and, in all cases, serious. For example, that the victims are victims of harassment by third parties or virtual kidnappings; or take out loans and register accounts in their name in digital banks or other fintech, among others.
In addition, those who believe that their data has been used to access "guessing passwords" from dates or other personal data in email accounts, social networks and other web services can enter haveibeenpwned.com. In the event that the page indicates that those accounts were compromised, a strong password must be created to regain control.
What about private data?Emiliano Piscitelli, CEO of BeyGoo, tells iProUP that there is a hacking forum in which this data is marketed. "Personal information is bought and sold all the time. You have to know what data you have. It's like they steal your DNI data and with this they can take out an online loan."
For his part, the lawyer Luciano Monchiero, Cybercrime specialist and CEO of For7ress Digital Security reveals to iProUP that the penalties for this type of crime can be varied.
"The point is to verify if they reveal all the information that is restricted, without authorization from RENAPER, or if there is an alteration of the data. It will depend on how the situation occurs," says the lawyer, who lists the sanctions:
It may interest youEarn in dollars with "changas 4.0": look at the top platforms that pay for tasks of a few minutes
As iProUP learned, the Specialized Cybercrime Fiscal Unit (UFECI), whose head is Horacio Azzolin, has already taken action on the matter. It will depend on the result of the investigation to see the scope of what could be the largest data leak perpetrated against a State: the information of 45 million Argentines is at risk.
relateddnifederal correctional courtcriminalministry