Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: InfoSec Handlers Diary Blog - A Possible Data Breach at Romanian Finance Ministry? Maybe Not. InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Possible Data Breach at Romanian Finance Ministry? Maybe Not.

Published: 2007-03-24
Last Updated: 2007-03-27 23:52:43 UTC
by Lenny Zeltser (Version: 5)
0 comment(s)
An ISC reader shared with us a link to a story reported by a Romanian news agency that seems to describe a data breach at Romanian Finance Ministry (thanks you!). According to him, the article discusses a vulnerability on the website of Romania's National Agency for Fiscal Administration (main unit of the Romanian Finance Ministry, equivalent of the IRS in the USA):
This vulnerability made available the full information about all of Romania's ~22 million citizens, including the Personal Number Code (CNP - "Cod Numeric Personal" - equivalent of the Social Security Number in the USA)
Even more, full identifying data of each tax payer is/was available. In addition to the CNP this also includes the full name, full address, and full finance information, including informations about taxes and duties paid to the state budget.
This sounds like a very severe breach. Unfortunately, we don't have a way of verifying the person's description of the article, and we cannot translate the article's text ourselves.

The article's text is available at:
http://www.ziua.ro/display.php?data=2007-03-13&id=217445
Update March 25: Another ISC reader wrote to let us know that a search in the on-lines archives of two important Romanian news portals (hotnews.ro and ziare.ro) did not return any results related to the alleged brief. The person also commented that reporter who wrote the original story, referenced above, did not include any details in the article to support the claim of a breach.

Update March 26: ISC reader Ciprian Pantea translated the most of the article for us. The article's text states that the reporter was able to compromise security of the agency's website and expose the sensitive data. The article does not offer any details regarding the vulnerability. According to the translated version of the article, a "problem in the security systems of the servers of MFP permits every user of a computer connected to the Internet to access the database administred by ANAF. In this way one can obtain complete information about certain individuals." However, we still have not seen any confirmation of the described security issue.

Update March 27a: Another ISC reader KC shared with us his or her perspective on the article: "This article explains how a local Romanian newspaper was able to gain access to the private site without the use of any special hardware or software and therefor were not breaking any laws in discovering the vulnerability in RFM system. They went public with the information because they notified the RFM regarding the issue and never received a response."

Update March 27b: Another ISC reader pointed out that the article "does not actually claim that all citizens have had their personal data exposed. Plus, it seems that it was not 'full finance information, including informations about taxes and duties paid to the state budget,' but just some information on the type of tax these people were supposed to pay."

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com
Keywords:
0 comment(s)
Diary Archives