A major data leak has revealed millions of records from a Latvian document management system, primarily used by the Latvian government.
While e-government vastly benefits citizens, going digital has its downsides. Namely, data safety. Enter Lietvaris, a document management system utilized in Latvia, a Baltic nation of 1.9 million.
The Cybernews research team recently uncovered massive amounts of public-facing data stored on an unprotected Elasticsearch cluster. The exposed instance, which the team attributed to the Lietvaris platform, houses a staggering 25 million records, a huge number for a nation with less than two million citizens.
“This incident underscores how important it is to keep data protected. Especially for government-associated organizations that store sensitive personal information on a large scale,” researchers said.
Our researchers contacted Lietvaris’ creators, Latvian software firm ZZ Dats, and the open instance was promptly closed, assuring the team that an internal investigation would be launched to understand the issue.
Cybernews has also reached out to ZZ Dats for an official comment, and we will the article once we receive a reply.
Lietvaris is mostly used by public servants to process citizens’ applications and service requests, which explains why the platforms’ data was stored on Elasticsearch. Businesses utilize it to store and process swaths of data.
Meanwhile, the team claims that the exposed instance stored:
While there’s no indication that attackers siphoned the exposed data, malicious actors continuously monitor the web for unprotected servers and have an automated process for downloading public-facing details.
According to our researchers, cybercriminals could cause trouble if they did get hold of the data. Most obviously, revealing full names with national IDs and home addresses increases the risk of identity theft, as the dataset allows convincingly impersonating individuals.
“Another issue is privacy violation as the unauthorized release of personal data infringes upon citizens’ privacy rights. Moreover, the leak could erode public confidence in official data handling,” the team said.
The only silver lining is that ZZ Dats was quick to respond and solve the issue, taking the data off the public's view in less than 24 hours.
To mitigate the issue, researchers recommend the following actions:
