Personal data leaks have become one of the most pressing issues in our country recently. Information that cases of digital security breaches are increasing in Kazakhstan is appearing more and more often in the media.
And while the authorities are fighting hackers and fraudsters who deceitfully steal confidential data of Kazakhstani citizens, state institutions themselves are publishing the personal information of their employees when concluding contracts with suppliers.
The other day, information was sent to the anonymous FBRK bot claiming that one of the schools in the East Kazakhstan region had concluded a public procurement contract for staff medical examination services, while at the same time publishing the personal data of the teachers and institution employees in the technical specification. The FBRK editorial team reviewed the details of this tender.
As it turned out, the contract was concluded back in April. The winner of the tender was a local entrepreneur specialising in activities related to catering provision, which is odd in itself. But even more questions are raised by the document uploaded to the "technical specification" section.
In such public procurements, this document typically represents the requirements for the supplier, specifying how many employees need to undergo medical examinations and with which doctors. However, in the procurement in question, the customer, represented by the state institution, simply attached a list of all employees of that institution, including their full personal details.
And while the teachers were slightly luckier in terms of the dissemination of personal information (the list includes their full names, dates of birth, education, and work experience), the staff, which included laboratory assistants, janitors, security guards, drivers, and others, found themselves in a particularly high-risk zone. In addition to professional characteristics, the document lists their IIN, mobile phone numbers, and full residential addresses.
For obvious reasons, we are not entitled to disclose the name of the school or other details of the contract. However, for our part, the FBRK editorial team has sent an official request to the Department of Education of the East Kazakhstan Region asking them to conduct a detailed investigation and resolve the situation.
It should also be noted that the document contains no standard requirements for the medical examination. It was likely uploaded as a technical specification by mistake. Nevertheless, we believe such negligence on the part of a state institution is unacceptable, and those responsible for the leak of personal data must be punished in accordance with the law.
To be continued…