At the beginning of December, a database of users of the Kundelik electronic diary, an analogue of the Russian 'Dnevnik.ru' system, appeared online. At least thousands of records containing students' full names, dates of birth, names of educational institutions and classes have been made publicly accessible.
According to the Telegram channel 'Access to the Sea', the exact scale of the leak is currently difficult to assess. Files with several thousand lines are available on darknet platforms — this is typically the minimum volume offered as a 'sample' for buyers.
It is also unclear whether the leaked data includes login details, passwords, phone numbers and other sensitive information. Given that Kundelik is a mandatory electronic system for most of the country's schools, and its users include millions of students, parents and teachers, the consequences of the leak could be significant.
It has become known that the Kundelik platform is owned by its founder Mukhtar Ilyasov and partner Askar Bishigayev (through Innovation Process Group), Dinara Kulibayeva (MP Innovations) and the Russian company Dnevnik.ru LLC, on whose technology the Kazakh service is built.
The largest co-owner of Dnevnik.ru is entrepreneur Gavriil Levi, who owns a 49% stake through a chain of structures. Stakes are also owned by former employee of the Federal Penitentiary Service (FSIN) Mikhail Kaurov (33%), ex-oil worker Anton Sysonov (18%) and former employee of the Skolkovo Foundation Alexei Solovyov (3%). Since 2011, the company has received more than 500 million roubles from Russian state bodies.
Like its Russian prototype, Kundelik is regularly criticised for its monopolistic position in the market, weak protection of personal data and the introduction of paid features that allow, among other things, disabling adverts.
Advertising integrations have led to scandals in the past — pornographic material appeared in students' electronic diaries. Parents and teachers have also often complained about the unstable performance of the service.
For context, in December last year, the personal data of Kazakh citizens was made publicly accessible after the hack of 'Sirena-Travel'. Information about internal flights of Kazakh citizens between 2007 and 2023 leaked online, containing data on nearly 700,000 flights on aircraft of airlines Air Astana, Scat, Qazaq Air and Bek Air within the country.
The database also included data on international flights of Kazakh citizens on Russian airline aircraft. The leaked files included passenger names, their document numbers, phone numbers and email addresses.
It was later revealed that 'Sirena-Travel' operates in Kazakhstan without official registration.