Sensitive personal data of nearly the entire population of Georgia was hosted on a German cloud provider unprotected, according to Cybernews, a technology and cybersecurity site. The data leak was discovered by cybersecurity researcher Bob Diachenko and the Cybernews team.
Diachenko reported finding an unsecured, password-less Elasticsearch index containing databases of several million Georgian citizens. One database held about 5 million records, while another contained over 7 million. Given that Georgia’s population is around 4 million, some records may include duplicates or data on deceased individuals.
Phone numbers with information about the phone’s owner
“It appears the data was collected or merged from several sources, including government or commercial databases, as well as phone number identification services,” Diachenko commented.
Experts say the German cloud provider’s server was shut down shortly after the leak was discovered, but risks to those affected by the breach remain.
“Without clarity on who owns this data, the victims of the breach have limited options for seeking justice. It’s still difficult to enforce data protection laws and hold those responsible accountable. This breach highlights the challenges of cross-border data protection and regulation,” Diachenko added.
What the former head of Georgia’s Ministry of Defense Cybersecurity Bureau, Andro Gotsiridze, said about the leak:
The breach may not be new; it was simply discovered recently.
Some of the information in the databases resembles data from a 2020 leak, for which the Election Commission was blamed, though the government denied responsibility.
While awareness of cyber threats is increasing in Georgia, the risks arising from the leak of personal data are still underappreciated by both the government and citizens.
Even a small amount of personal information is enough to commit crimes in your name, hack you, track you, or cause physical harm.
Social engineering campaigns are becoming more sophisticated, so attention must be paid to suspicious messages and offers.
In addition to regular cybercriminals, personal data could be used by hostile nations or politicians to spread propaganda or plan disinformation campaigns.
