The Tax Records of 20 Million Russians Were Found Exposed Online

• A cluster of Elasticsearch databases was found exposed on an unprotected Ukrainian server.
• The owner has secured the server now, but not before more than a year has passed.
• The contents include the tax records and PII of more than 20 million Russian citizens.

Researcher Bob Diachenko and Comparitech have found an unsecured server that contained the tax records of about twenty million Russian citizens. The Elasticsearch database didn’t require a password to access it, and so anyone with a web browser could have accessed it since May 2018 when it was first indexed by search engines. Diachenko discovered it a lot later, on September 17, 2019, and three days after he notified the owner, the database was finally protected. Whether or not anyone else had accessed the database is unknown, but it’s unlikely that it stayed untouched for so long.

The exposed cluster comprised of multiple databases, most of which seemed to contain information that was publicly sourced. However, two of the exposed databases included the PPI (personally identifiable information) of millions of Russian citizens, and their tax records. Most of the people who were exposed in these databases appear to come from Moscow and its suburbs. The first database contained 14 million tax records dating between 2010 and 2016, while the second held 6 million records from 2009 to 2015. The contents of each entry were the following:

• Full name
• Address
• Residency status
• Passport number
• Phone number
• Tax ID number
• Employer name and phone number
• Tax amount

Source: comparitech.com

The owner of the database is based in Ukraine, but the researcher didn’t manage to find out which organization or company was behind the provided contact details. No matter who is responsible, there are over 20 million people who are now vulnerable to scammers, phishing actors, and tax fraud campaigners. Considering that the database was publicly accessible by anyone for over a year and that all data was in plain text form carrying no encryption whatsoever, the chances of them being already under active exploitation are pretty high.

In this case, there were no email addresses in the records, so the researchers cannot notify the people who were affected by the security incident. This means that these people now rely on the owner of the database to do that, which is highly unlikely to ever happen. All that said, if you’re from Moscow, beware of unsolicited messages that you may receive on your phone, asking you to click on a URL and claiming anything relevant to your tax ID, passport number, or address. Public agencies would never reach out to you via SMS, but scammers surely would.

Do you have something to say on the above? Let us know of your comments in the section down below, or join the discussion on our social media channels, on Facebook and Twitter.