Personal Data of Millions of Georgian Voters Exposed Online

Security researchers found a listing on hacking forums, one that contained personal information on Georgian citizens. That data dump was sized at 1.04 GB and it was included in the Microsoft Access Database.

The document was shared with the news outlet ZDNet. It included details such as names, addresses, dates of birth, ID numbers, phone numbers and more. Georgia's population numbers about 3.7 million citizens, the exposed database included 4,934,863 entries. About a third of the population of the country includes those who are incapable of voting at the time, such as those under a voting age. The database wasn't kept up to date, since the information included the entries of deceased citizens as well at the living.

At this time it is unclear who leaked and published the data dump, nor the response of the government to a data breach of this massive size. The results for the affected users may be serious, however.

The information's origin is allegedly a government website

The information about the breach is scarce at this time, as not much is available. The person who published the data claimed it was coming from the government-operated website voters.cec.gov.ge. The website was used by the citizens to verify voter information in their database.

It is possible the personal information of the Georgian voters may have been obtained using the Android app paired with the voter registration website. There is no evidence of that being the case yet, however. Security researchers believe the attackers may have brute forced their way into the system, guessing the password with multiple login attempts over a course of time.

At the time of writing this, voters.cec.gov.ge is still down, most likely still due to the data breach that affected it. A ZDNet correspondent attempted to contact the Central Election Commission of Georgia, but failed to get a reply back.

Data breaches are a problem for governments and businesses worldwide

The Georgian elections are supposed to take place in October 2020, but considering the data breach that might affect the number of people willing to get registered. Risking loss of personal information like an ID number can be dangerous, as the citizens of the country may find themselves targeted by scams and banking frauds.

The past few years have seen multiple security breaches and leaking of data in both the private and the government sectors across the world. A more recent example of that could be seen with the developers of the Maze, Sodinokibi and DoppelPaymer malware, who exposed sensitive information stolen from organizations and businesses.

With the global pandemic still increasing in numbers of infected, governments and healthcare organizations have their hands full. This in many cases leaves them vulnerable to attack, since cybersecurity takes a back seat compared to more pressing concerns like the infected. Examples of this could be seen with the recent Mespinoza ransomware attack in the French government and the data breach in Chile when 80% of voters had their personal information exposed due to weak security of a local database.