Stacks of sensitive data lying unprotected

IT specialists discovered that public document registers of state agencies are full of delicate personal information – from home addresses and passport numbers to severity of disability.

A team participating in this weekend's Garage48 hackathon, that concentrated on public and big data this year, announced that they cannot publish the results of their project as it includes too much personal information they stumbled upon in public registers. There are hundreds of such registers all over Estonia – every ministry, agency, local government, school etc. have their own digital documents register.

Analysis of free-to-access documents from a few years ago produced delicate personal information that certainly should not be available to anyone with the skill to look for it.

At the head of team Psii that made the unpleasant discovery was chief of machine learning at Nortal Lauri Ilison who delivered a memorably stern presentation about it at the hackathon.

Ilison said that the team managed to build a program to scour public registers and look for documents that could hold delicate information in 48 hours. „We spent the most time waiting for downloads to finish,“ he said.

Next the team set about going over the documents their scanner had found. „We were shocked to discover we cannot publish these results. Instead we found we should shut the scanner down,“ Ilison said.

He said the team came across documents that included names and severity of disability of people. The team's program had discovered this particular data in the document registers of local governments.

„We initially thought we wouldn't find anything; however, the truth was we stumbled across something right away. We will not be providing any information on how and what we found exactly because we want the data protection watchdog to clean up this mess,“ Ilison said. He added the team has notified the agency of its find.

A similar problem was discovered back in April by Estonian startup Texta that created its own document registers analysis tool. Co-founder of Texta Silver Traat said they discovered a lot of highly detailed personal information in the documents register of the education ministry.

„We held a workshop as part of a language technology conference where we did what the state lacks the capacity to do itself. We downloaded 150,000 documents from the ministry's document register and discovered that they held, among other things, people's personal identification numbers, bank account numbers, addresses. We even came across some passport numbers,“ Traat described. He added that most of the information was from employment contracts.

„While a personal identification number does not constitute delicate personal information, a set of data that also includes the person's name, bank account number, and other things does,“ Traat said.

The company, that analyzed documents in the ministry's register following a request from Postimees, managed to find 39 employment contracts from among 3,000 documents in a single day. The state maintains hundreds of document registers that include millions of documents.

„The problem goes much further. We could easily analyze the entire register, as well as those of other ministries should the custodian develop a corresponding interest,“ Traat said. The co-founder said Texta has notified the ministry of its findings.

While the Estonian Data Protection Inspectorate regularly checks the security of document registers, it does so by hand. Control is often followed by supervision proceedings and less often by fines.

„We look at document registers more closely and hold a major survey once a year,“ said the agency's PR adviser Maire Iro. The watchdog looks at whether registers of ministries, county governments, and government agencies offer public access to documents that should not be publicly available, as well as that documents that need to be public are accessible.

„We have launched numerous supervision proceedings; however, the need for control action often disappears as institutions realize their mistakes and correct them,“ Iro said.

That said, the inspectorate has been forced to bring misdemeanor proceedings. „When someone has published delicate personal information or privileged information in great volume. Misdemeanor proceedings result in fines,“ Iro explained.

The watchdog has imposed fines in cases where document registers have offered free access to health data, documents with information on domestic violence or custody. One local government's document register offered public access to a forensic psychiatric examination report – its publication resulted in a misdemeanor proceeding. Fines have amounted to around €100.

It is said the situation has improved in recent years. „Officials are better aware and able to pay attention to protection of sensitive information. It is constant work as new documents are registered every day, people move and have to be trained on public information. That is why mistakes happen sometimes,“ Iro said.

The Ministry of Education and Research does not find the problem to be serious. Deputy director of the ministry's general department Terje Mäesalu admitted that it is possible registers offer access to some letters that should not be public.

„Because authors of letters are responsible for their publication as well as restricting access to them, it is possible some things are made public by accident. However, we usually correct these kinds of mistakes quickly upon learning of them. Rather people turn to us to ask why some documents aren't public,“ Mäesalu said.

She added that spot checks are carried out regularly. „Data presented by Texta makes it difficult to understand from which lines of which documents the information has been taken; that is why our finds were limited to names and personal identification numbers both of which are generally public information,“ Mäesalu said.

Adviser at the Estonian Information System's Authority Andres Kütt said that while document registers are in need of systematic reorganization, he does not perceive a direct security risk in the publication of sensitive personal information.

„Personal information has always been publicly accessible in those systems, it simply hasn't been highlighted like that before,“ Kütt said. He added that new IT solutions provide tools with which to highlight mistakes in registers so work could begin on correcting them.

register publicinformation
If you notice an error, highlight the text you want and press Ctrl + Enter to report it to the editor
No rates yet
I recommend
No recommendations yet


Post your comment to communicate and discuss this article.

Chairman of the Estonian Chamber of Commerce and Industry and one of the owners of construction group Nordecon, Toomas Luman, finds that a prime ministerial candidate should first and foremost be able to answer the question of what will become of the demographic crisis in Estonia. The businessman sees controlled introduction of foreign labor as the solution. A digital construction cluster was created in Estonia a few years back to bring innovation to the s...
Last year saw 27,125 registered offenses, up 0.5 percent from the year before. Violent crime was up by 12 percent to 8,249 offenses. PHOTO: Dominic Lipinski / PA Wire / Press Association Images / Scanpix Growth was biggest for domestic violence – the police launched criminal proceedings in 3,607 cases that constitutes an increase of more than one-third – annual growth of 37 percent from 2,632 cases in 2017. At the same time, reports of domestic violence we...
TALLINN - Ahead of the withdrawal of the United Kingdom from the European Union, tens of thousands of British citizens have chosen the citizenship of some other country, but only one Brit has recently chosen an Estonian citizenship. Spokespeople for the Ministry of the Interior told BNS that only one British citizen submitted an application for Estonian citizenship last year and the applicant was also granted the citizenship. Before that, no Brits had soug...
TALLINN - Experts from Finland, Denmark, Norway and the Netherlands highlighted the importance of decentralization and granting local governments greater decision-making powers at a conference titled "Strong local government -- strong state?" in Tallinn on Wednesday.  All Nordic countries have chosen a model granting local governments significant decision-making powers, thus the central government does not prescribe how local governments are to fulfill the...
The language learning application Drops by game developer Planb Labs, established in Estonia by Hungarian founders, was named Google Play's best app of 2018. With the number of downloads surpassing 10 million, Drops was named Google's app of the year as the revenue of Planb Labs, a company registered in Estonia, increased fivefold, CNBC said. The developer's revenue grew from €335,000 in 2017 to €1.7 million in 2018. The company's shareholders include Hung...
TALLINN - The Estonian Health Board has banned the distribution of chlorine dioxide, also marketed as the Miracle Mineral Supplement (MMS), the A-component of an unused product, meaning the sodium chlorite solution, must be taken to a hazardous waste collection facility. Ester Opik, head of the Health Board's North regional department, said that the banning of the distribution of the product was caused by the fact that MMS, distributed as a cosmetics produ...
Nature cannot abide a vacancy, as the saying goes. If just one year ago, Estonia was battling the sale of MMS and the practice of giving it to children, a new “miracle cure” called Advanced TRS has appeared on the market now. Even though the make-up of the substance is different, the promise to cure autism and cleanse the body of heavy metals, which kind of extreme detox is accompanied by severe side-effects, sounds all too familiar. TRS is recommended to...
Allied NATO battalions will soon mark two years serving in the Baltics. They have worked better than expected but would need prepositioned heavy weaponry and a functional contingency plan in case of a crisis, a report by the International Center for Defense and Security (ICDS) finds. “We do not know how Russia would have acted had we not welcomed allies in Estonia, Latvia, Lithuania and Poland in 2017. I’m afraid they would have tested our resolve,” one of...
The time of filing income tax returns is nearly upon us. The new income tax system, in effect since last year, will obligate many women who went on maternity leave toward the end of the year to make additional income tax payments, while those who give birth in the middle or at the beginning of the year have no such obligation. What this means is that some women will owe the state simply for giving birth “at the wrong time”. Laura Roop, who went on maternit...