Personal Data, Azerbaijani Hackers, and Manageable Chaos: Samvel Martirosyan Provides Details

Information security expert Samvel Martirosyan writes: "The coronavirus has changed many things, created many problems, and highlighted many existing issues. One of the most interesting topics is the protection of personal data and data leaks, along with their potential consequences.

A bit of history  The issue of personal data protection in Armenia has always been problematic, as there has been neither a state approach nor a public demand. At the beginning of the 2000s, a law on personal data protection was written, which ended up falling into disuse, as it was forgotten from the day it was adopted. Ten years later, in 2015, the Law on Personal Data Protection was adopted, and the Personal Data Protection Agency was established, operating under the aegis of the Ministry of Justice.

Data leaks have indeed occurred until recently, some quite significant. For example, in 2012-2013, there was a major leak of phone number databases. However, at that time, much data could not have leaked, as a lot was still kept on paper.

The current situation  As I mentioned, we already have the Law on Personal Data Protection, a corresponding agency. But we lack many things beyond this law. The fine for violations, leaks, or negligence ranges from 200,000 to 500,000 drams and has never been applied in modern Armenian history.

On the other hand, we are experiencing rapid digitization. State documentation has been digitized for years. The relationship between citizen and state is increasingly moving away from paper, as new sectors fall under electronic governance. On the flip side, the law and the agency cover only half of the issue. Without clear regulations on how to use personal data repositories, who has the right to access them, and what levels of protection are required in working with different types of data, we face the situation we are in today.

What do we have today  In the June-July season, we have already encountered an enormous number of leaks. Let’s look at the recorded cases sequentially:

June 2: The “Prison” Facebook page publishes a list of individuals who died from coronavirus.

June 11: An Azerbaijani hacking group that has been attacking Armenian email accounts and social media accounts for years publishes over three thousand details of individuals infected with the coronavirus and those in contact with them. Names, birth dates, addresses, phone numbers, and passport series are made public, with most “victims” being from Armavir.

June 24-26: The same hacking group publishes approximately two thousand more details on Armenians, this time without passport information.

July 5: The same group begins publishing photos of Armenians' passports, including data on an employee of the Artsakh National Security Service.

July 6: Several hundred Armenian passport details are published on an Azerbaijani hacking forum, including passport photographs where individuals are holding their passports. Such photographs are typically required for loans or similar transactions, where the person's identity must be verified. I should note that data from an Artsakh National Security Service employee is also included.

This is one example of a leak. I have deleted some information.

Agree that this volume of data leaks in one month is indeed catastrophic. What is even more concerning is that the leaks are diverse. It is clear that the sources are not one or two.

What can we infer from these attacks:

• a. The “Prison” case is evidently aimed at internal political strife, indicating that at any moment an internal source could orchestrate a serious leak on behalf of a political force.
• b. The leaked coronavirus data varies among files and records, which likely indicates that they stem from multiple sources.
• c. Knowing the specific Azerbaijani hacking team’s modus operandi over the years, it can be almost certainly deduced that they obtained the data not through attacks on systems, but by hacking personal email accounts, primarily via generalized templates and phishing attacks on the mail.ru system.
• d. This means that numerous state officials, healthcare workers, and representatives of local self-government are exchanging such information using personal emails, or they utilize personal accounts altogether as functioning ones.
• e. The most troubling aspect is that military data is managed in the same careless manner.
• f. Overall, there are no clear regulations on who and how may use this or that information. There are no demands and rules for working with information. No official is clearly informed about how they can and should protect digital accounts. In short, there is no clearly defined, written policy on this issue.
• g. There are no strict and clearly defined penalties for violations. The existing fines are almost insignificant compared to the damage incurred.
• h. There are virtually no regulations visible in the private sector. The existing fines clearly suggest that it is easier to pay 200,000 drams once than to regularly pay a specialist to oversee digital security and information management.
• i. If nothing is done, we will have more and more significant leaks. Our citizens will become increasingly vulnerable.

What to do  

• a. Finally, establish a cybersecurity center.
• b. Significantly increase the scope of the Personal Data Protection Agency. Drastically increase fines and enforce them consistently. Suspend the operations of individuals and organizations that cannot manage personal data responsibly.
• c. Have a clear state policy encompassing information security and personal data protection. Specify the responsible bodies. Today it is unclear who the public should hold accountable.
• d. Conduct appropriate training for all public officials working with personal data.
• e. Raise public awareness on the topic.