A text file containing personal data of 5 190 396 Serbian citizens, and more than 4 000 financial documents (over 19 gigabytes of content in total) were publicly available last week on the official website of the Privatization Agency of the Republic of Serbia, as SHARE Foundation established.

The analysis of the documents confirmed that the personal data of 5 190 396 citizens are actually the data from the records of persons entitled to free public company stock, which are run by the Privatization Agency. The size of the text database is 1,22 gigabytes, which represents a huge amount of personal data out in the open, for everyone to access, download and potentially abuse it. The database with personal data was available at the following link: http://www.priv.rs/upload/company/contract/BES/dump_web_prijave_10062013.txt.

This case shouldn’t be linked to the recent news of “hacker threats”, which were largely reported by the media during the past few days. From what could be seen in the case of “Serbian hackers”, it was about a much smaller amount of personal data, which probably originated from a database of “confirmed voters” of some political party.

Since the database compromised the data of more than 5 million people, we didn’t want to alarm the public until the database was removed from the Internet. Therefore, we notified the Office of the Commissioner for Information of Public Importance and Personal Data Protection, which reacted promptly. Access to the database was disabled Friday afternoon, December 12, after the evidence had been collected and Privatization Agency informed.

If you are a citizen of Serbia and you have applied for free stocks in 2008, your data have been compromised. You can see a part of the database below:

The analysis confirmed that the database contains different data of 5 190 396 citizens of Serbia, namely:

First name
Last name
Middle name
Unique Master Citizen Number (UMCN, Serbian: JMBG)
Citizens’ status in the free stock rights holders’ records (last column)

It is important to emphasize that the following information about a certain individual can be deduced based on the presented data:

Date of birth
Place of birth
Age
Sex

The importance of this data also comes from the fact that every Internet user can use the UMCN to potentially search other public electronic databases for additional data. Also, if someone finds out your UMCN, he can log in to various public or private electronic services by using your identity.

In addition to direct use of this data, abuse through social engineering is also possible. Sometimes it is enough to call a certain company you have a contract with and demand new services or cancel existing ones just by giving your name and UMCN. In the wrong hands, this data can lead to mass identity thefts, which will make state institutions and companies take adequate measures so there wouldn’t be any serious consequences for citizens whose personal information have been compromised.

It was interesting that the link to the database was freely shared on Twitter, where associates of SHARE Foundation spotted it. Although at first we thought that maybe an Agency employee had sent this link to someone without authorization, and that that person might have shared it on social media, it turned out that the database was searchable on Google and it seems that anyone who applied for free stock in 2008 and searched for his master number could access the base freely and without limitation.

If you applied for free stock, you could have entered your master number in Google search and as a result you would get the link to this database.

For now we have no information whether this was some kind of an attack or an unacceptable mistake of Agency employees, but we are sure that this was the largest privacy breach in the area of information systems and privacy of citizens in the recent history of Serbia. It is certain that no one is able to answer the following questions:

Who came into possession of a database containing personal data of 5 190 396 citizens of Serbia?

Who came into possession of more than 4 000 other documents (total size 19 GB) which mostly represent business and financial data of state companies in the process of restructuring?

How will they (ab)use them?

By looking into ownership over the IP address where this database was published, we’ve affirmed that the data was located on “Verat”’s network. However, it is not possible to establish with certainty to whom the server belongs to. In any case, the omission probably happened because of the platform (webpage) administrator and not the administrator of the server or hosting provider.

We hope that the proceedings started by the Commissioner will reveal all aspects of this security breach in order to establish who is responsible, but also to raise awareness of the employees in the public sector of the responsibility for personal data they are holding.

If state bodies do not have the need for the personal data database that is in possession of SHARE Foundation, the database will be deleted and it will not be given to third parties, nor in any way abused by SHARE Foundation, in accordance with our Privacy Policy.

We warn everyone who may have come into possession of the database with the personal data of citizens of Serbia that any further use, selling and giving of the database can lead to criminal liability on the grounds of criminal act of “Unauthorized collection of personal data” (Article 146 of the Criminal Code).

Privacy for the weak, transparency for the powerful

State bodies are gathering large amounts of different data, including personal data, from basic data to those containing very sensitive information, such as data concerning health, education, financial status etc. These data are kept in information systems, which means that they are easily searchable and available to “authorized” personnel. Besides the fact that the Law on Protection of Personal Data applies to both private and public sectors, the implementation of the Law seems to be much worse in the public sector. Public institutions usually don’t have the necessary procedures to protect our personal data and they lack knowledge and resources for establishing adequate procedures and harmonize their business practices with the regulations.

It is worrying that at this moment citizens don’t know which state institutions collect their data, which data are being collected and processed, where are they kept, how are they protected, who exactly has access to these data and for what purposes (media claim that more than 300 000 institutions that control citizens’ data). Since data are considered to be a very important economic resource, especially since the beginning of the 21st century, the lack of transparency limits the responsibility of public institutions and enables corruption, particularly in state institutions which hold sensitive and market-valuable data or make decisions on citizens’ rights based on automatic processing of personal data.

Omissions of state bodies such as this one must be corrected as soon as possible and responsible persons must bear legal consequences in accordance with the Criminal Code and the Law on Personal Data Protection. It is also necessary to take all the required steps in order to ensure that citizens’ data are protected with highest available measures of technical and organizational protection.

SHARE Foundation will continue to oversee the level of compliance of public and private personal data controllers with laws and other regulations in this area, so that privacy for the weak and transparency for the powerful would be established.