Around 540,000 people were affected by a data leak at the State Enterprise Centre of Registers. Names, surnames, personal codes, and various documents were exfiltrated.
-
A major data leak at Lithuania’s State Enterprise Centre of Registers exposed around 540,000 people, or nearly one-fifth of the country’s population.
-
The stolen data included names, surnames, personal codes, dates of birth, and real estate ownership details. Phone numbers, email addresses, and payment information were reportedly not leaked.
-
The Centre detected unauthorized access in late April, but some records may have been stolen as early as January. The delay in spotting the incident has led to strong criticism.
-
Officials say the intruder used stolen credentials rather than exploiting a direct cyber breach. The case has raised concerns about weak cyber hygiene, including the apparent lack of 2-factor authentication on employee accounts.
-
Law enforcement and data protection authorities are investigating, but affected users have not yet been formally notified. Some people must visit the Centre in person to check whether their data was exposed.
In April, the State Enterprise Centre of Registers became aware of an unauthorized login, which led to the exfiltration of 600,000 records. Some data was stolen as early as January, and the institution is now facing heavy criticism over the time it took them to notice anomalies within the system.
While the Centre became aware of the potential incident at the end of April, the news reached the public only last Friday. Users can check whether their data was leaked by logging into the system via their banks, but they haven't yet been officially informed of the data leak and the next steps.
Often, notifications of data breaches are sent after the investigation is concluded, and that could still take weeks, if not months.
The Prosecutor General's Office, the Lithuanian Criminal Police Bureau, and the State Data Protection Inspectorate are investigating the leak. An independent cybersecurity firm has not been involved in investigating the incident.
Some users who don't use electronic systems will have to physically appear at the Centre to learn whether their data has been leaked.
Mindaugas Samkus, the spokesperson for the Centre, tells Cybernews that around 540,000 people are exposed to the leak. To put that into perspective, Lithuania has up to 2.9 million residents, meaning that 19% of the country’s population has been affected.
The leak, while lacking essential information, has already cost Arijus Jusas, the director of the Centre, his job. The topic has since been highly politicized, with many saying the director is being used as a scapegoat to put people's minds at ease.
Here's what has been leaked:
- Name, surname
- Personal code
- Date of birth
- Various data about real estate that people (co)own
Phone numbers, email addresses, and payment information, according to Samkus, haven't been leaked.
"At the moment, we don't know any more details about the incident, and we can't comment on it. Law enforcement is investigating it, and we hope it will answer all questions."
While initial announcements mentioned a third party being involved in the data leak, making way for speculations about the supply chain, it soon became clear that an intruder simply logged in with stolen credentials.
"No cyber breach was recorded at the State Enterprise Centre of Registers," Samkus said.
Minister of National Defence, Robertas Kaunas, has repeated multiple times that basic cyber hygiene was missing from the Centre’s practices, with employee accounts apparently not protected by 2-factor authentication.
Kaunas showed up at the presentation of the 2025 National Cyber Security Status Report on Tuesday, where the National Cyber Security Centre boasted about how the number of cyber incidents last year went down by 25%.
Next year’s presentation will surely reveal a grimmer picture.
Unlock more exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked