Stacks of sensitive data lying unprotected

IT specialists discovered that public document registers of state agencies are full of delicate personal information – from home addresses and passport numbers to severity of disability.

A team participating in this weekend's Garage48 hackathon, that concentrated on public and big data this year, announced that they cannot publish the results of their project as it includes too much personal information they stumbled upon in public registers. There are hundreds of such registers all over Estonia – every ministry, agency, local government, school etc. have their own digital documents register.

Analysis of free-to-access documents from a few years ago produced delicate personal information that certainly should not be available to anyone with the skill to look for it.

At the head of team Psii that made the unpleasant discovery was chief of machine learning at Nortal Lauri Ilison who delivered a memorably stern presentation about it at the hackathon.

Ilison said that the team managed to build a program to scour public registers and look for documents that could hold delicate information in 48 hours. „We spent the most time waiting for downloads to finish,“ he said.

Next the team set about going over the documents their scanner had found. „We were shocked to discover we cannot publish these results. Instead we found we should shut the scanner down,“ Ilison said.

He said the team came across documents that included names and severity of disability of people. The team's program had discovered this particular data in the document registers of local governments.

„We initially thought we wouldn't find anything; however, the truth was we stumbled across something right away. We will not be providing any information on how and what we found exactly because we want the data protection watchdog to clean up this mess,“ Ilison said. He added the team has notified the agency of its find.

A similar problem was discovered back in April by Estonian startup Texta that created its own document registers analysis tool. Co-founder of Texta Silver Traat said they discovered a lot of highly detailed personal information in the documents register of the education ministry.

„We held a workshop as part of a language technology conference where we did what the state lacks the capacity to do itself. We downloaded 150,000 documents from the ministry's document register and discovered that they held, among other things, people's personal identification numbers, bank account numbers, addresses. We even came across some passport numbers,“ Traat described. He added that most of the information was from employment contracts.

„While a personal identification number does not constitute delicate personal information, a set of data that also includes the person's name, bank account number, and other things does,“ Traat said.

The company, that analyzed documents in the ministry's register following a request from Postimees, managed to find 39 employment contracts from among 3,000 documents in a single day. The state maintains hundreds of document registers that include millions of documents.

„The problem goes much further. We could easily analyze the entire register, as well as those of other ministries should the custodian develop a corresponding interest,“ Traat said. The co-founder said Texta has notified the ministry of its findings.

While the Estonian Data Protection Inspectorate regularly checks the security of document registers, it does so by hand. Control is often followed by supervision proceedings and less often by fines.

„We look at document registers more closely and hold a major survey once a year,“ said the agency's PR adviser Maire Iro. The watchdog looks at whether registers of ministries, county governments, and government agencies offer public access to documents that should not be publicly available, as well as that documents that need to be public are accessible.

„We have launched numerous supervision proceedings; however, the need for control action often disappears as institutions realize their mistakes and correct them,“ Iro said.

That said, the inspectorate has been forced to bring misdemeanor proceedings. „When someone has published delicate personal information or privileged information in great volume. Misdemeanor proceedings result in fines,“ Iro explained.

The watchdog has imposed fines in cases where document registers have offered free access to health data, documents with information on domestic violence or custody. One local government's document register offered public access to a forensic psychiatric examination report – its publication resulted in a misdemeanor proceeding. Fines have amounted to around €100.

It is said the situation has improved in recent years. „Officials are better aware and able to pay attention to protection of sensitive information. It is constant work as new documents are registered every day, people move and have to be trained on public information. That is why mistakes happen sometimes,“ Iro said.

The Ministry of Education and Research does not find the problem to be serious. Deputy director of the ministry's general department Terje Mäesalu admitted that it is possible registers offer access to some letters that should not be public.

„Because authors of letters are responsible for their publication as well as restricting access to them, it is possible some things are made public by accident. However, we usually correct these kinds of mistakes quickly upon learning of them. Rather people turn to us to ask why some documents aren't public,“ Mäesalu said.

She added that spot checks are carried out regularly. „Data presented by Texta makes it difficult to understand from which lines of which documents the information has been taken; that is why our finds were limited to names and personal identification numbers both of which are generally public information,“ Mäesalu said.

Adviser at the Estonian Information System's Authority Andres Kütt said that while document registers are in need of systematic reorganization, he does not perceive a direct security risk in the publication of sensitive personal information.

„Personal information has always been publicly accessible in those systems, it simply hasn't been highlighted like that before,“ Kütt said. He added that new IT solutions provide tools with which to highlight mistakes in registers so work could begin on correcting them.

postimees
register publicinformation
If you notice an error, highlight the text you want and press Ctrl + Enter to report it to the editor
1 view in december
I recommend
No recommendations yet

Comments

Post your comment to communicate and discuss this article.

Society
Political news portal Politico published its list of the most influential people in Europe next year last week, with fifth place going to Estonia’s cybersecurity ambassador Heli Tiirmaa-Klaar. Tiirmaa-Klaar takes her place in between well-known Europeans, after Secretary General of the European Commission Martin Selmayr and in front of Ukrainian presidential hopeful Yulia Tymoshenko. Politico believes Italy’s populist interior minister Matteo Salvini will...
Society
Representatives of the transport ministries of the Baltic states, Finland and Poland who met in Tallinn on Monday were of differing opinions regarding whether to remain in summer or winter time once the practice of changing the clocks twice per year comes to an end. A recent survey indicates that more than half of Estonians would prefer permanent summer time. Estonia, Latvia, Lithuania, Finland and Poland jointly acknowledged that the agreement to end the...
Society
Ida-Viru Central Hospital is having trouble with patients not showing up to scheduled specialist appointments. To combat this issue, beginning next year, the hospital will start charging visit fees for no-show appointments as well. Last year, patients at Ida-Viru Central Hospital failed to show up for scheduled appointments a total of nearly 9,500 times, accounting for some 5% of all hospital visits, reported ETV news broadcast Aktuaalne kaamera. "Patients...
Society
Tallinn city government finds that it is not reasonable to relocate the Tallinn Bus Station to the Ülemiste district near Tallinn Airport and that it should be left in its current location on Lastekodu Street. In connection with the preparation of an architectural idea competition and the drawing up of a detailed plan for the Ülemiste terminal in the framework of the Rail Baltic railway project, the city is drawing the attention of the Ministry of Economic...
Society
A criminal investigation has been launched into the Medita Clinic, one of the largest private sector bidders in public procurement tenders in the health sector in Estonia. The Northern District Prosecutor's Office initiated the investigation in accordance with the Penal Code section concerning the transmission of false information, according to ETV investigative show Pealtnägija. The Medita Clinic was the largest private provider of specialist medical care...
Society
The Tax and Customs Board (MTA) has signed an agreement with Online accommodation and hospitality marketplace Airbnb which enables hosts to automatically report earnings. The MTA and Airbnb held a joint press conference on Wednesday, announcing the agreement's signing as well as the new system and its rationale. The main premise, according to MTA deputy director Rivo Reitmann, is to keep things simple, meaning that Airbnb hosts who declare their income in...
Society
Luminor notified its clients that as of 1 January, the bank will be closing the accounts of Estonian e-residents that fail to fulfil due diligence. Hannes Oja, head of Anti-Money Laundering at Luminor Estonia, said that based on the Money Laundering and Terrorist Financing Prevention Act, banks are required to update the data of all of their customers, writes daily Eesti Päevaleht (EPL). As a result, all existing clients have to do so themselves on a regul...
Society
The Russian Embassy in Tallinn on Tuesday published a statement criticising the statement in support of Ukraine adopted by the Riigikogu on Monday. Commenting on the statement with which the Riigikogu on Monday condemned the attack on Ukrainian vessels in the Kerch Strait, the Russian Embassy referenced the famous quote by Roman statesman Cato the Elder, who used to conclude his speeches in the Senate by saying, "Furthermore, I consider that Carthage must...
Society
A widely-read travel magazine, Condé Nast Traveler, has declared the Christmas market in Tallinn as one of the most charming in Europe. “Why we love it: In addition to Estonian Christmas dishes like black pudding and sour cabbage (it’s better than it sounds, we swear), Tallinn’s market in the Town Hall Square also has a Santa who arrives by reindeer-pulled sleigh,” the magazine says. “The highlight, though, is its Christmas tree, which the city has been pu...