Databases with private information of the citizens that are circulating online, show the weak defense from cybersecurity threads, experts say.
A database circulating online containing private information of Albanian citizens’ salaries, and another with private information and comments on political preferences that circulated in April, have raised concerns about public security in the country.
Prosecutors in Tirana started verification hours after a massive data breach of citizens’ private information started circulating online, initially through “Whatsapp”. The data contain the salaries, job positions, employer names and ID numbers of some 630,000 citizens, from both the public and private sectors.
The opposition Democratic Party condemned “an extraordinary scandal” and accused the Socialist government of failing to protect citizens’ private data.
The excel file that was leaked contained the salaries of the citizens for the month of January, while another which started circulating on Thursday contained salaries for April.
On Thursday Prime Minister Edi Rama called it “an attempt to create confusion and to foster instability”, implying also that the destabilization efforts came from the country’s divided opposition.
Enri Hide, a security expert and professor at the European University in Tirana, called it “an open threat to the national security” and added that “the institutional reaction “is not at all serious and proportionate to the degree of risk”.
“First of all, it shows the weaknesses of Albania’s cyber-security infrastructure. Second, it shows the lack of a response plan in such cases,” Hide told BIRN.
Asked if a specific group of people such as Intelligence or Army are more threatened than others, Hide said that the exposure “has extremely serious consequences for Intelligence” and the military.
“The long-term consequences for the Intelligence and Security and Defence system are 1. Use of the data by foreign actors in order to monitor the payment system of the sector. 2. Now that this level is being clarified, foreign intelligence agencies may attempt to ‘intervene’ or try to ‘offer rewards’ to actors in key / sensitive positions,” he told BIRN.
He added that the private sector was also at risk by making citizens vulnerable to blackmail.
“Cyber-security must be taken seriously. We need a strategy based not on letters but on modus operandi. We need a clear protocol of what should happen if we have such leaks. There is not any and it is shameful,” he said.
Fabian Zhilla, a security expert based in Tirana, said the leak of the database with the private information of citizens data that, “the public loses trust in public institutions and the loss of trust is directly related to the cooperation that citizens should have with institutions:”. If this threat is not addressed “citizens will be exposed and blackmailed and this includes employees of important state institutions”.
“If we talk about the protection of personal data, there is no doubt that the bodies that deal with the monitoring of all servers of public institutions such as National Agency for Information Society, AKSHI, must have a protocol and if there is no protocol … AKSHI should definitely set up a working group to make an assessment of preventive measures but also measures in case of information leaks and how it can be managed in real-time to prevent their spread in public,” Zhilla told BIRN.
He confirmed that secret service employees, intelligence services, military intelligence units and counter-terrorism units were at special risk.
“It is very important that a commission be set up at the ministerial level, perhaps with the request of Parliament to make a better assessment of the protection protocol, the measures related to the status quo of the infrastructure that the official institutions have today to protect the personal data,” he added.
The head of AKSHI, Linda Karancaj, said on Thursday that “the tax system is not certified by ISO, but we are in the process”.
According to the National Strategy of Cyber Security 2020 -2025 “any government infrastructure under the administration of AKSHI, ISO 27001standard policies are applied”.
In April 2021, a few days before elections in the country, a database with the private information of around 910,000 voters in Tirana was leaked to the media.
It was claimed that the database belonged to the ruling Socialist Party and was taken from state institutions and used for electoral purposes.
The database, which BIRN has seen, contained some 910,000 entries including names, addresses, birth dates, personal ID cards, employment information and other data.
The Socialist Party denied wrongdoing, insisting that the information was gathered in door-in-door surveys. The case is still with the prosecution.