Personal data – chronicle of a “nonexistent” crime; Investigation of data leaks, too little, too late

Authors: Ardit Toca, Maria O’Donnell and Xhuana Çallaku

“We showed them the fire, but they kept looking for smoke”…

On April 11th of last year, two weeks before Albania’s Parliamentary elections, Lapsi.al broke the news that there was a data breach in Albania. This breach released the private information and personal data of nearly 910,000 individuals, almost one third of the entire population of Albania.

Rather than questioning anyone suspected of being involved in the breach, prosecutors chose to investigate Andi Bushati and Armand Shkullaku, the reporters from Lapsi.al who broke the news about the data breach.

“The prosecution asked the court to seize everything; cellular, computer, server, USB, etc. While standardized (protocols) require that in these cases, not only are the devices not seized, but access to these devices must also be surgical,” said Dorian Matlija, the lawyer representing Lapsi.al. “The prosecution with its actions seriously endangered the journalists’ relations with the sources, but also risked releasing other materials of journalists that are not related to the case.”

After eight months of government silence, three more data breaches occurred, jeopardizing the safety of Albanian citizens.

“A proper investigation of the first case would have had a deterrent effect on any individual who could misuse Albanian data,” said Matlija.

In other words, if the prosecutors had questioned the people who had caused the breach rather than the journalists who broke the story, then the subsequent data breaches that released the personal information of thousands of Albanian citizens might not have happened.

One Day Later

The day after the first data breach, SPAK, the Special Structure Against Corruption and Organized Crime, began its investigation. For six months, until October 1st last year, SPAK stayed on the case.

According to Euronews Albania, SPAK demanded that the Lapsi.al two reporters who released the news should hand over the voter database that they obtained, took their demand to court but eventually the case was dismissed by the Appeal Court.

On April 23rd last year, the Information and Data Protection Commissioner’s Office published a news release stating that they were “carefully monitoring the situation created by the violation (illegal disclosure) of citizens’ personal data.” The office said that it would issue a report in the near future.

The Office did not release the report until four months later, on August 19th. This report specified the information released and detailed the actions of the Lapsi.al journalists, but found no one guilty of leaking the data and no one guilty of using it.

The annual report from Freedom House called “Freedom in the World 2022” noted that “critics, including members of the opposition, have accused the PS of stealing the data from official government websites and using it to “intimidate” voters. The ruling party has repeatedly denied that the database was created or used illegally.”

“There may be different cases of data leakage in neighboring countries and also in those of the European Union, but the Albanian [data leaks], in my estimation, are unprecedented,” said Erida Skëndaj, the Executive Director of the Albanian Helsinki Committee.

Edi Rama, the Socialist chairman, won the election and was able to continue his eight-year reign as prime minister.

Nearly six months after the April breach, SPAK handed over the investigation to the prosecution.

“At the beginning of October 2021, SPAK informed the media, declaring incompetence  (as the cause of the data breach), arguing that there are no elements of corrupt acts, transferring it to the Prosecution at the Tirana Court of First Instance,” said Skëndaj.

Even after the prosecution took over the case, no changes or improvements to Albania’s data security system were announced.

“The risk is high and permanent (for other data breaches); because …we have recently seen thousands of complaints, which came from citizens, saying that they were receiving offers for employment,” said System Security Engineer and IT Expert Besmir Semanaj. “This typology also paves the way for other attacks.”

Eight Months Later

On December 22nd last year, eight months after the April data breach,  another data breach occurred. This leak exposed the monthly salaries, job positions, names, and ID numbers as of January 2021 for nearly 630,000 people working in the private and public sectors.

The next day, the salaries of thousands of Albanian citizens for the month of April 2021 were exposed through WhatsApp.

Skëndaj expressed the seriousness of the situation, pointing toward factors such as “the type of data administered, the entities that are suspected of having distributed and further processed this data for certain purposes, the very high number of people affected by the circulation of this data, as well as the short time, in less than a year, within which these massive leaks occurred.”

Following the leak of the salaries, Prime Minister Edi Rama stepped forward and apologized for the database leak in a news conference on December 23rd.

“According to a preliminary analysis, it looks more like an internal infiltration rather than an outside … cyber-attack,” Rama said. “I have an idea that this was done to create confusion and animosity between the people and (the government).”

A third data leak occurred on December 24th. It contained the license plate numbers of 530,452 Albanian citizens and 61,513 banks, businesses, and embassies. Even the exact color and manufacturer of the car were listed.

“The biggest danger is the cloning of identities and the use of them for criminal and terrorist acts… The only choice is to change the cards and the algorithm for their production,” said Semanaj.

The Response

After eight months and four security breaches, on January 7th of this year, prosecutors in Albania arrested four suspects for possibly stealing the personal information of more than 630,000 people. These arrests were made for the second and third data breaches, but not for the first data breach in April 2021.

The prosecution said two of the people arrested were IT technicians who worked at the state tax office, while the other two had bought the data and were working in the private sector.

“Regarding the data flow (salaries, license plates), the Prosecution at the Court of First Instance Tirana has mainly launched investigations into this case since the day that this data came out. Regarding this case, four persons have been arrested, respectively citizens E.Q, A.A, K.S and E.I, who are still under the security measure ‘home arrest’ and ‘obligation to appear,” prosecutors said in a statement.

Jones Group

On January 11th of this year, the Albanian government hired the US-based company Jones Group International to help with cybersecurity.

Prime Minister Edi Rama stated that the country and the group had signed a memorandum of understanding that they will work “on strengthening security of the digital systems.”

When asked about the types of work the Jones Group does, John Lord, the President of Jones Group Europe, said “the Jones Group team provides cyber security and information security advisory services to governmental and critical infrastructure customers around the world.”

Jones Group is based in the U.S. state of Virginia and was founded by General James L. Jones, the former National Security Advisor to President Barack Obama.

“Our team has completed a wide variety of cyber-related projects in energy and information technology, each with differing requirements, and we have been successful in meeting our client’s requirements,” Lord said. “The Prime Minister, supported by his Council of Ministers and the Albanian Parliament, has already shown significant leadership towards strengthening the cyber security posture of Albania.”

But if it was an “internal infiltration rather than an outside … cyber-attack,” as stated by Prime Minister Rama, why did the Albanian government hire an outside consultant like Jones Group?

When asked that question, the National Agency for Information Society (NAIS) said, “collaboration with Jones International Group focused on assessing international ISO standards, drafting the technical plan at the individual institutional level on cyber recommendations and implementing physical infrastructure aims to minimize the likelihood that such incidents will occur again.”

Because it was an internal attack, there is concern that it might happen again.

“NAIS is not an institution whose employees must go through the vetting procedures, but in order to have a clearer idea on the reliability of the applicant, the list of documentation required for application are the Certificate of Judicial Status and [other] documentation of this nature,” NAIS said in a statement.

On May 1st, Rama announced his collaboration with NAIS, saying the entire country will be using e-Albania, a portal the NAIS created that allows citizens to access certificates and documents regarding public services. Although the portal had been around for many years, this was the first time all government agencies are being required to use it.

Data Security in the Us

The government data breach impacting the largest number of individuals in the U.S. happened in December 2015, according to Digital Guardian, a data loss prevention software company . It involved the leak of voter registration information.

The personal information of 191 million people in the U.S. was released because of a database that was incorrectly configured.

Oftentimes, the reason for data breaches is a lack of awareness of data security or human error.

“In the finance or healthcare industry, there’s a lot of secure documents that are floating out , but I think it’s mostly just to deal with people wanting money or people in a company not being educated enough to not engage with phishing emails [or] anything along those lines,” said Kyle Cleaver, the Business Development Representative at HelpSystems and an employee at Digital Guardian.

However, in Albania, as Rama stated, it was an “internal infiltration.”

When asked why these internal infiltrations are less likely to occur in the US, Cleaver said, “Fines [are] higher and higher if [a company] is breached. I know that it’s good for our companies to deal with this software because…they have to be CUI (Controlled Unclassified Information) compliant or they’re going to get fined.”

The Ministry of Infrastructure and Energy in Tirana, when asked that since there is no official determination that “the data leak was the result of an external attack”, why was it necessary to hastily contract Jones Group for the strengthening of the government cybernetic framework, the latter failed to provide a definitive answer, refusing to answer direct questions.

The Ministry did not also provide an answer to the question of whether there were open procedures for contracting Jones Group and whether there were other firms interested in cooperation.

It has been 4 months since the passing of the special law for the signing of the contract with Jones Group and providing the latter with almost full access to the cyber infrastructure of the Albanian state, and until today there is no update on the claimed improvements of the security infrastructure of NAIS.

In March, US President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act to prevent cyberattacks like that which occurred in 2015 from occurring again.

“It helps when the government [is] stepping in and they’re passing all these laws [for cybersecurity],” said Cleaver.

A Future Online

In a news conference on December 23rd of last year, following the second data breach in December, Mirlinda Karçanaaj, the Director of Albania’s National Agency of Information, sat right next to Prime Minister Edi Rama.

Karçanaaj reaffirmed the security of e-Albania, despite it having nothing to do with the data breaches.

Less than five months later, the entire country was forced to use e-Albania.

In other words, after four data breaches in eight months, the National Agency of Information decided to put the important documents of the Albanian citizens online. This means that family certificates, education enrollments, jobs, pensions, permits and licenses, transport and vehicles, custom services, and health and social protection are all administered through this portal.

“People who have had access to the information obtained from databases have had access to any data that we possess,” said Semanaj. “Albanian citizens are totally exposed.”

On July 17, 2022, NAIS announced for the first time it was under an external cyber-attack on its infrastructure, and suspended all public services. Efforts to resolve the emergency situation continue.