Estonia says a hacker downloaded 286,000 ID photos from government database

Estonian officials said they arrested last week a local suspect who used a vulnerability to gain access to a government database and download government ID photos for 286,438 Estonians.

The attack took place earlier this month, and the suspect was arrested last week on July 23, Estonian police said in a press conference yesterday, July 28.

The identity of the attacker was not disclosed, and he was only identified as a Tallinn-based male.

Suspect abused a vulnerability in RIA database

Officials said the suspect discovered a vulnerability in a database managed by the Information System Authority (RIA), the Estonian government agency which manages the country's IT systems.

In a FAQ page published yesterday, RIA said its database usually checked with five different subsystems before returning a query to display a user's government ID photo.

"The suspect discovered a security vulnerability in one of RIA's applications that did not sufficiently check the validity of the query," RIA said yesterday.

To exploit the vulnerability, RIA said the attacker had to provide the name of an Estonian citizen, along with their correct personal identification code.

According to Oskar Gross, Head of the Cybercrime Bureau of the National Criminal Police, this information was discovered on the suspect's computer during a house search last week, along with the downloaded photos.

Stolen photos were retrieved by authorities

Officials said they don't believe the suspect transferred the stolen photos to another party but that an investigation is still looking into the matter.

RIA said it patched its database and verified to see if other of its systems are affected by the same bug.

The agency said it is now notifying all the affected Estonian citizens via email about the incident. The incident was not considered severe enough to ask individuals to take new photos and change their IDs.

The incident's timeline, as released by Estonian authorities, is below:

• July 16 – SK ID Solutions informs RIA of a higher number of queries.
• July 21 – RIA detects the mass download of data from the Identity Documents Database (KMAIS) through additional monitoring and closes the service.
• July 22 – RIA tracks down the possible IP address used to download the photos and forwards the information to the police.
• July 22 – RIA launches an internal investigation to determine the reason how manipulation of the control mechanism of the image storage system was possible.
• July 23 – The police arrests the man suspected of downloading the data and performs the initial procedural acts.
• July 23 – RIA reopens the fixed image system that again allows people to download their document photos.
• July 23-27 – RIA also investigates the possibility of using a similar attack vector in other services.