Albanians are seeking action after hackers behind a wave of cyber-attacks in 2022 opened a new front by hacking a private bank and leaking client data.
Last month, Credins Bank became the latest target as the Homeland Justice hackers hit a private entity for the first time.
Authorities say they have everything under control and have banned media from reporting on the content of the leaks. But ordinary Albanians are increasingly concerned for the security of their personal data.
This month, Progni, an IT expert, decided to act, filing a case with the Special Court Against Corruption and Organised Crime, SPAK, against the National Agency for Information Society, AKSHI, the National Authority for Electronic Certification and Cyber Security, ACESK, and a private firm responsible monitoring the implementation of standards by these bodies.
Progni, whose case has the backing of a forum of some 800 IT experts, said he was motivated by a desire to raise awareness and hold accountable those tasked with protecting private data.
“The biggest risks are the duplication of identity and the use of online data, the theft of the accounts that has already started, like Instagram, Facebook etc; these accounts are being stolen massively,” Progni told BIRN, saying he had already received thousands of messages from other concerned individuals asking about the legal avenues open to them.
“If they [SPAK] start an investigation, it’s certain that officials will be arrested,” he said.
Photo: Screeenshot from Homeland Justice webpage.
New front
Albania and outside investigators have all pointed the finger of blame at Iran, whose embassy in Tirana has been shut down as a result of the expulsion of its diplomats and ambassador. Albania has frozen diplomatic relations with Tehran.
The attack on Credins Bank appears to have opened a new front, however, as the hackers expand their targets from public to private entities.
On January 9, Homeland Justice published on Telegram a file that it claimed contains the data of business clients of the bank. A week later, another file appeared under the name ‘All Accounts Customers’. An accompanying message declared, “Credins Failed.”
Days passed between the attack and confirmation from Credins. The bank said a “peripheral system” had been affected but that the danger was isolated and the “highest IT security measures were implemented.”
One client, who asked not to be named, said she had been unable to log into her account for days and that, as of publication of this story, the bank app was still not working properly. “I wrote to the Support and they told me it doesn’t work but that it would be fixed soon,” she said.
“From an emotional perspective, at first I was very disappointed that the Support was completely unprepared; it didn’t provide any information except that it would be fixed during the following days. The information service also gave me wrong information, maybe not even the information service themselves knew what was going on, but it is very unprofessional that the customer was left without the right to know when there is a data breach.”
In its December 23 statement, the bank urged that no private data be published.
“We inform all persons that the publication of personal information without authorisation constitutes a legal violation, therefore we request that the distribution of this information be stopped immediately,” it said.
Western Balkan countries faced by cyber attacks since July (illustration). Photo: EPA-EFE/SASCHA STEINBACH
Class action lawsuit not an option in Albania
In some countries, affected individuals would be able to team up in collective action, or ‘class action’ lawsuits, to seek remedy, but under Albanian law this is not possible.
“This mechanism is not recognised in our legislation, even though there was an initiative by some civil society organisations that drafted a draft law on collective lawsuits and submitted it to parliament in 2021,” said Megi Reci, a lawyer at the Tirana-based Institute for Democracy and Mediation. “Approval remains subject to the will of the parliament.”
The only options open to individuals are criminal charges, civil lawsuits for compensation, or a complaint to the Commissioner for the Protection of Personal Data, Reci said.
As of January 18, SPAK told BIRN it had not registered any criminal proceedings with regards cyber-attacks.
The Tirana Prosecution is conducting its own investigation into the case; so far it has detained give IT employees in the public administration, but this has far from satisfied the government’s biggest critics.
As for solutions, experts say Albania may have to consider changing Albanians’ unique personal ID numbers.
“Only one recommendation solves this issue, which is to renew the citizen’s ID so that the IDs would be different,” Progni told BIRN. He also recommended 2-factor authentication for each account and greater awareness of phishing attacks.
The office of the Commissioner for the Protection of Personal Data said it had also proposed possibly changing ID numbers, but that it would be “a complex process”.
“The discussion and finding solutions for this initiative is complex and involves several institutions,” the office told BIRN in a written response. The IT breach and leak of private data “showed marked weaknesses of the structures and systems that administer them,” it said.