At the end of last week, sensitive information from different public figures in Argentina began to circulate on Twitter. Tweets from the data breach included ID photos, processing numbers, date of birth and other information attached to the DNI.
Later, a user in an Internet forum offered the sale of “all the information” that is in the Argentine document. This Wednesday, RENAPER, the body in charge of identifying everyone in the country, said that it was not the victim of a hack. However, it pointed out that it detected “user misuse or theft of the user’s password.”
The agency’s statement details that on Saturday, October 9, they learned that the Twitter account “aniballeaks”, which is suspended due to a complaint, published images of 44 people. Alerted by this situation, the security team proceeded to make a query about those involved in the Digital Identity System (SDI). It revealed that 19 of the images had been consulted in the system at the same time they were published on the social network. The connection, according to the official version, was by VPN (Virtual Private Network) between RENAPER and the Ministry of Health of the Nation.
Precisely, the aforementioned system allows remote identity validation in real time with RENAPER. This yields data contained in the National Identity Document of any Argentine just by entering their ID and gender. After the analysis, the office under the Ministry of the Interior assured that all the images published on Twitter had been consulted from the same VPN connection. Therefore, they concluded that no “unauthorized access to their systems or a massive data breach” occurred.
Repercussions of the RENAPER data leak
Asked by Kirkwood student media about whether citizens should worry about this antecedent in the future, the lawyer Daniel Monastersky, who together with Facundo Malaureille requested that a possible crime be investigated, said that “it is hasty to be able to evaluate what may happen because there is no information still reliable “.
The lawyer, who also serves as director of the CEMA Center for Cybersecurity Studies, asked that the victims be notified. In that sense, he pointed out that “Argentine regulations in relation to data protection have been around for many years” and that, unlike the European RGPD, there are recommendations to report this type of data breach, but it is not mandatory.
The truth is that the problem does not only lie in the improper circulation of data to supplant the identity of the victims. The DNI process number is also included. It is a fundamental element to carry out remote procedures in the National Social Security Administration (ANSES). This is also required by the CuiAR App with which you can make a self-diagnosis of COVID-19 symptoms.