Can a public tender be a threat to IT infrastructures in public institutions?

08.10.2018

European Cybersecurity Journal, autor: Paweł Sawicki

First, let your imagination run free.

Let’s imagine that an intelligence agency of a foreign country wants to access personal computers of all Polish deputies and senators. And I do not mean the physical seizing of their computers, but undetected ongoing access to everything what is done on them. It would make it possible to trace the planning process for the legislative acts before they even go public or imperceptibly change a few words in them, why not? It would make it possible to get access to private conversations about what exactly the opposing parties think about the governing party and vice versa. It would enable them to search for proof of unethical behaviour or provoke one, or even place compromising materials and incite an international scandal. With unfettered access to somebody’s computer, the only limitation is our imagination. Tempting? Unreal? Mission impossible? Because no one can install spyware on a deputy’s computer, right?

If not the computers of the deputies and senators, then maybe somebody would be interested in hacking the database of the Polish Social Insurance Institution (ZUS) and stealing personal information of millions of Poles? How much would the data be worth on the black market? Let’s try to assess that. On the Internet, the price for a regular database starts from PLN 0.10 for a record. The data available in ZUS are inevitably more valuable and thus worth at least PLN 1.00 for a record. It can be easily assessed that even a small data leakage – let’s say of 2 million records – would be worth around several tens of millions Polish zloty on the black market, not to mention that such a database could be sold more than once.

In August 2016, there was an incident described initially as ‘a leakage from the PESEL database’. PESEL means Universal Electronic System for Registration of the Population; it is a massive central database, currently managed by the minister in charge of computerisation. This register stores identities of all Polish citizens and foreigners residing in Poland. They are extremely sensitive and therefore access to the data is very restricted. The PESEL system is mainly used by the authorities responsible for the safety of the country: the police, the Internal Security Agency, the Central Anti-corruption Bureau, the Public Prosecutor’s Offices, courts, but also tax offices and bailiffs. The latter were initially to be blame for the ‘data leakage’. On 12 August 2016, the Ministry of Digital Affairs informed the law enforcement agencies about an extremely atypical behaviour of the entities which collect data from the PESEL database. In a relatively short period of time, at night, the ministry’s servers received hundreds of thousands of requests, and data of more than 1.4 million people were downloaded. At first, it might have looked like a cyberattack. However, after the investigation by the Public Prosecutor’s Office in Warsaw, it turned out that it was not a cyberattack, but an uncommon hyperactivity of bailiffs’ offices. It seems that the data did not fall into unauthorised hands after all.

Download full article: PDF