A hacker breached the Argentine government's IT network and "stole" the information contained on the ID cards of the entire Argentine population. The stolen data is currently for sale on a dark web forum.
According to information from The Record, the attack took place in September and targeted RENAPER (Registro Nacional de las Personas), which translates to the National Registry of Persons. RENAPER serves as the central government database of the Ministry of the Interior and is widely used by various Argentine agencies to retrieve personal data on Argentine citizens. It contains images of all national ID cards ever issued by the government, along with the information displayed on the cards, in digital text format for easier searching.
The first evidence that someone had breached the RENAPER database emerged in early October, when a newly created Twitter account, @AnibalLeaks, published photos of ID cards and personal data belonging to 44 well-known Argentines. Among those exposed were President Alberto Fernández himself, as well as well-known journalists and politicians, and prominent figures from the world of soccer, such as Lionel Messi and Sergio Agüero. The publication of these photos and data served as proof that the hacker had access to the database.
The day after posting the photos and personal data on Twitter, the hacker posted an ad on a well-known hacker forum, offering access to the personal data of any Argentine citizen for a fee. His Twitter account was suspended just before he could publish further evidence.
The attack itself drew significant media attention, prompting the Ministry of the Interior to issue a statement. The ministry confirmed the system breach three days after the photos were published. However, in its statement, the Argentine government denied that the RENAPER database had been hacked, adding that the database itself had not suffered any data breach or leak. The government also informed the public that one of the Ministry of Health’s VPN accounts was used to search for 19 photos in the RENAPER database at the exact same time the photos were posted on Twitter. Based on this fact, the Argentine government does not believe that the cyberattack originated from outside the country, but rather believes that an employee of the Ministry of the Interior with access to the database was responsible for leaking the information. The ministry confirmed in a statement that eight government employees are currently under investigation on suspicion of possible involvement in the attack.
Tony Pepper, CEO of Egress, a cybersecurity firm, also commented on the attack, calling it monumental:
“The black market for stolen personal data is big business, and cybercriminals will stop at nothing to find their next big payday. This attack should serve as a warning to governments: cybercriminals have the means to carry out large-scale, sophisticated attacks, and their citizens’ data is at risk.”
“With the data of millions at risk, Argentine citizens are currently the primary targets of follow-up attacks, such as financial fraud, sophisticated phishing attempts, and identity theft, aimed at stealing more personal data, identities, and even their money.”
The Record contacted a person who was offering access to the database on hacker forums, and that person confirmed that they were not a government insider and that they possessed a copy of all data from the RENAPER database. The hacker confirmed this information by providing the website with personal data—including the social security number (known as the “Trámite number”)—of an Argentine citizen whom the website had selected itself. From the data provided, it was determined that the hacker has access to the following personal information about citizens: full name, address, date of birth, gender, ID card issuance and expiration dates, employment identification code, social security number, national ID number, and government-issued ID photos. The hacker also indirectly confirmed how the breach occurred—this indirect confirmation came when the hacker responded to a government statement about a compromised VPN account with the comment “irresponsible employees, yes.”
Sources:
https://therecord.media/hacker-steals-government-id-database-for-argentinas-entire-population/
https://www.zdnet.com/article/twitter-suspends-hacker-who-stole-data-of-46-million-argentinians/
https://www.silicon.co.uk/security/cyberwar/hacker-steals-database-argentine-citizens-421978
https://www.biometricupdate.com/202110/potentially-devastating-digital-id-hack-in-argentina-could-have-many-ripples
