A major data leak has revealed millions of records from a Latvian document management system, primarily used by the Latvian government.
While e-government vastly benefits citizens, going digital has its downsides. Namely, data safety. Enter Lietvaris, a document management system utilized in Latvia, a Baltic nation of 1.9 million.
The Cybernews research team recently uncovered massive amounts of public-facing data stored on an unprotected Elasticsearch cluster. The exposed instance, which the team attributed to the Lietvaris platform, houses a staggering 25 million records, a huge number for a nation with less than two million citizens.
“This incident underscores how important it is to keep data protected. Especially for government-associated organizations that store sensitive personal information on a large scale,” researchers said.
Our researchers contacted Lietvaris’ creators, Latvian software firm ZZ Dats, and the open instance was promptly closed, assuring the team that an internal investigation would be launched to understand the issue.
Cybernews has also reached out to ZZ Dats for an official comment, and we will update the article once we receive a reply.
What data of Latvian citizens was exposed?
Lietvaris is mostly used by public servants to process citizens’ applications and service requests, which explains why the platforms’ data was stored on Elasticsearch. Businesses utilize it to store and process swaths of data.
Meanwhile, the team claims that the exposed instance stored:
- Names and surnames
- National IDs
- Home addresses
While there’s no indication that attackers siphoned the exposed data, malicious actors continuously monitor the web for unprotected servers and have an automated process for downloading public-facing details.
According to our researchers, cybercriminals could cause trouble if they did get hold of the data. Most obviously, revealing full names with national IDs and home addresses increases the risk of identity theft, as the dataset allows convincingly impersonating individuals.
“Another issue is privacy violation as the unauthorized release of personal data infringes upon citizens’ privacy rights. Moreover, the leak could erode public confidence in official data handling,” the team said.
The only silver lining is that ZZ Dats was quick to respond and solve the issue, taking the data off the public's view in less than 24 hours.
To mitigate the issue, researchers recommend the following actions:
- Immediate server securing: Restrict public access and require authentication for all Elasticsearch instances
- Compliance review: Assess potential violations under EU data protection laws (e.g., GDPR) and report as required
- Investigation & Disclosure: Conduct a thorough internal review to determine the root cause and notify any affected individuals if necessary
- Encryption & Access Controls: Apply encryption at rest and in transit, and enforce strict role-based access for data retrieval
- Monitoring & Alerts: Implement continuous monitoring to detect any unauthorized attempts to access or modify the database
- Leak discovered: November 1st, 2024
- Initial disclosure: November 1st, 2024
- Leak closed: November 2nd, 2024
Your email address will not be published. Required fields are markedmarked