The Baltics take pride in how highly technological their countries are: they offer all kinds of online state services, digital signatures, e-governance. However, they also face a lot of cyberattacks, especially the ones conducted by foreign governments.
The question of cybersecurity in Estonia, Lithuania, and Latvia is acute. The government does not put heavy emphasis only on how to protect oneself from the attacks but also urges companies to have a plan for recovery. The motto switched to “not if but when”. Thus, the Baltics are among the best players in cybersecurity, with Estonia ranking as 4th and Lithuania as 11th in Global Cybersecurity Index.
In this article, we are going to review the top-10 cybersecurity breaches in the Baltics which led them to become so powerful in their cybersecurity efforts.
#1 Estonian Information System
Estonian Information System, also known as RIA, is the national registry of systems, components, services, data models, semantic assets. Its main objectives are to offer transparency to the government and ensure interoperability of all the public sector information systems.
In 2021, RIA faced a massive data breach that leaked ID photos of citizens. Hackers found people’s personal identification codes and names in the public domain and, using them, requested to download the photos. The system thought that they were real citizens and provided information without any complications.
As a result, almost 300,000 Estonian citizens were affected. The data never traveled further than the hacker’s computer and was not misused. The vulnerability was fixed and the hacker was found and arrested.
#2 Three Estonian Ministries
The Ministry of Economics and Communication, Ministry of Foreign Affairs, and Ministry of Social Affairs faced significant breaches in November 2020.
The Ministry of Social Affairs lost data of more than 9,000 citizens regarding the spread of infectious diseases and publically available data was accessed in the Ministry of Foreign Affairs. The main aim of hackers were agencies in the ministry’s administrative area: Road Administration, Consumer Protection Authority, Technical Regulatory Authority, Geology Service, Civil Aviation Administration, and Maritime Administration databases. Overall, 11 servers were hacked. However, it was mainly either publicly available or outdated data.
The IT professionals cut off the hacker within 8 hours after the breach and patched up everything. The affected citizens were informed but no medical records or other overly sensitive data was leaked.
#3 Estonian Local Email Provider, Mail.ee
Mail.ee is a local email provider that is popular among Estonians.
In 2019, the hacker used zero-day vulnerability to attack high-profile users who were interesting to a foreign country. A state-sponsored hacker sent emails with a code to the chosen users and once they opened them, the code was executed and forwarded all the emails of the account to the hacker’s account. Users did not have to click on some link or open an attachment – it was enough to just open an email to get compromised.
The generic users were not affected, the vulnerability was patched, and compromised accounts were contacted. Estonian Internal Security Service (KaPo) also issued a guide on how to choose a secure email provider and informed businesses and organizations about how their data can be of interest to other countries.
#4 Estonian Schools Information System (EKIS)
Estonian Schools Information System (EKIS) is a database that collects all the information connected to education in Estonia: a list of kindergartens, schools, and universities, data about teachers, professors, and students, graduation documents, curriculum, etc.
In 2018, experts found a vulnerability that existed for years and allowed anyone to download information about descriptions of children’s medical conditions, behavioral problems, family relationships, entire educational history, counseling programs, criminal charges of physical abuse, etc.
The data of 500 kindergartens and schools, with 200,000 documents from 2015 to 2018, were available publicly. The ministry blamed everything on schools for not entering data safely. The vulnerability was later patched.
#5 Estonia Cybersecurity Attacks 2007
Estonia cybersecurity attacks in 2007 have become the main reason why the state became so engaged about cybersecurity threats.
In 2007, the Estonian government decided to move the Bronze Soldier of Tallinn, as a symbol of Soviet liberators, from the city center to the outskirts because ethnic Estonians perceive Soviet forces not as liberators but as oppressors. The decision sparked outrage among the Russian speakers.
As a result, they protested on the street and Estonia faced the second most massive state-sponsored cyberattack in history. It was sponsored by the Russian government. Estonian organizations, including the Estonian parliament, banks, ministries, newspapers, and broadcasters have become a target of cyberattacks, tons of spam traffic was sent their way.
Banking was not available, the news could not be uploaded or even printed, government employees did not have a way to communicate remotely because their email system was down. This incident brought attention to cybersecurity crimes all around the world and forced NATO to acknowledge cybersecurity attacks as a crime.
#6 Estonian Provider of Legal Assistance, Hugo
The company Hugo, which offers free legal advice and is sponsored by the Estonian Ministry of Justice, has to send reports about who sought advice, when, and why. Hackers gained access to the report of Hugo in June, with more than 2,000 cases and data on more than 1,000 service users.
The reason behind the breach is very simple: one of the officers forgot to tickle the “Hide data” box while reviewing information. The case emphasizes how important it is to train employees who work with data because they are the main reason for the breach in most cases.
#7 Content Management Systems of Lithuanian Websites
In 2020, Lithuania faced the most complex cybersecurity attack in years. The hackers breached the content management systems of the 22 Lithuanian public sector websites.
After they gained access to the websites, hackers posted fake news about Polish diplomats with drugs on the border, corruption in the airport, and an excessive number of drafted Lithuanians. They also impersonated the defense and foreign ministries, Šiauliai Municipality Administration, and sent emails about the fake stories to as many people as possible.
#8 Lithuanian Ministry of Foreign Affairs
Lithuanian Ministry of Foreign Affairs was breached in 2020 and exposed emails of all its employees. There is top secret information about war with Belarus, negotiations with the US president Biden, Nord Stream-2, etc.
Overall, the hacker claims to have 1,6 million emails with attachments, 300GB of Outlook data, and personal data of the Ministry and embassy employees. There are about 10 years of email conversations. The hacker was selling the data on a data-exchange platform and their prices were peaking due to high demand. The ministry could not confirm whether the correspondence is legit.
#9 Lithuanian Car Sharing Platform, CityBee
CityBee is a Lithuanian platform for car sharing where you pay only for the usage time and kilometers. No need to pay for insurance, gas, or even parking. The platform offers 1300 cars at the moment.
In 2021, they faced a breach due to poor security efforts. CityBee used Azure Blob, storage provided by Microsoft and they did not secure them with authentication, even though storage allows them to do so.
The carsharing leaked information of 110,00 users, including users’ names, personal identification numbers, telephone numbers, e-mail, and home addresses, driver’s license numbers, and encrypted passwords. The information was up for sale on one of the foreign websites.
#10 Lithuanian Fintech Company, MisterTango
MisterTango is a fintech company with its main office in Vilnius, Lithuania. It offers low-cost payment and exchange services to numerous countries in the European Economic Area.
In 2018, their company was breached and transaction information of 9,000 payments became publicly available. In the process of the investigation, DPA found that MisterTango failed to inform everyone about the breach within 72 hours and required more information for payment processing than it was needed to. Thus, it became the first GDPR fine issued in Lithuania and it reached €61,500.
Cybersecurity in the Baltics is especially important, with such a level of politically-based attacks and digitalization of the state. The consequences of data breaches in the Baltics are not only financially horrendous (considering the GDPR fines and strict governmental policy) but also impose threats like the leak of diplomatic information, the spread of fake news, and easy access to huge ID databases.