District Prosecutor’s Office in Warsaw published a communication, which describes in more detail fundraiser data leakage. Here are the main findings of the prosecution:
- data derived from the base of Social Security in an unauthorized way,
- data collected by malicious software or scripts
- downloading lasted from March 2015.
- only one office leaked data 802 tys.osób (possible that the leak is greater)
- screening takes place in five offices in Warsaw and Lodz.
- criminal proceedings applies to debt collectors, who “ enabled the access to the database Social Security unauthorized persons “, which in itself is a crime 231 KK. Then there are the allegations of paragraph 267 KK – obtaining unauthorized access to personal information from the Social Security database – a separate crime.
- took over the investigation ABW
The message we publish in its entirety.
District Prosecutor’s Office in Warsaw supervises the criminal investigation into the failure of duties and actions damaging public and private interests by bailiffs obliged to secure access to personal data from the register of Social Security, so that there was a permit access to the data to unauthorized persons, ie. an offense under Article. 231 § 1 of the Penal Code in zb. Article. 51 paragraph. 1 of the Act on the protection of personal data and on obtaining unauthorized access to personal data contained in the register of social security, ie. An offense under Article. 267 § 1 of the Penal Code.
The investigation was initiated by the notification of the Ministry of Digitalisation, which revealed that the Set of bailiffs taking from tens to hundreds of thousands of records from the database monthly Social Security. The analysis calls the system Social Security – including their duration, frequency of requests, implementation at night and the scheme of work stations – pointed to the use of malicious software or scripts used to automatically generate queries.
In connection with the notice on suspicion of committing a crime obtained detailed data on the frequency and scope retrieved from the register of Social Security data. The results of the analysis of justified suspicion of unauthorized collection and use of personal data, for example, one of the bailiffs downloaded from March 2015. Data 802,759 people and made 1,792,951 queries. In order to determine the relevant circumstances it was decided to carry out procedural actions in five offices including debt collectors Warsaw and Lodz, protecting data carriers and equipment.
In view of the seriousness of the case investigation entrusted to the Internal Security Agency.
RMF FM announces the unexpected action the prosecutor’s office, which entered the offices of five office bailiff escorted by officers of the Internal Security agency. Investigators protect computers and media as they have reason to believe that firms wyłudziły data base of Social Security.
Ministry Digitization surprised
According to RMF FM service Digitization alerted representatives of the Ministry, who noticed considerable traffic on the servers that store data Social Security. Suspiciously many queries was coming at night. In the course of the internal investigation established that the request comes from several law bailiff. One of them could get up to 800 thousand. records, the game can enter data for up to two million Poles.
You have to remember that in the Social Security database is also our permanent address, residence, series and number of identity card and passport . Better not lose the data.
Read also: Mysterious hacker attack on MON. What is it?
This bailiffs or hackers?
At this stage it is not clear whether offices bailiff in fraudulently were acquiring data for the conduct of its proceedings or office computers were infected with malware.
Why bailiffs data?
In the first case it may be a question of recovery of overdue debts. Firms specializing in these types of activities shall buy debt even 20 years ago, and then they go to court, then the bailiff. Large group of Poles see in the box notification from the court does not receive the shipment. Thereby it acts to its detriment, because unclaimed parcel is considered as delivered, and the judgment becomes final. The debtor instead plead limitation and freed from having to repay the debt must give it back with interest for several years, attorney fee, the cost of the process. In this way the debt of 200 or 500 zlotys growing amounts ranging 3000-5000, respectively.
Why data criminals?
They can thus extort loans, borrow. Fortunately, a few months ago, “sealed” way to open accounts. Today, no longer open one account by verifying transfer from another account, is registered in the data from the evidence. It allowed criminals to quickly create a chain of accounts and transfer money between them.
According to the service Trusted Third Party is likely the second scenario. Service Niebezpiecznik.pl is also more prone to this hypothesis.
According to one of our readers, who works at the government systems ( “source application”), access to the database should not be assigned on the internet. It can therefore access was via the internet, but in the context of supervised VPN sessions.
at the moment, can not determine who is behind the leak and what derived data.