Kazakhstan's public procurement system has again exposed personal data of citizens — and again through its own portal. This time, one of the country's wealthiest businessmen, the head of BI Group, Aydin Rakhimbayev, was among those affected.
WHAT HAPPENED
Full scanned copies of identity documents of representatives of supplier companies — including photographs, individual identification numbers, dates of birth and specimen signatures — appeared in the public domain on the government procurement portal. One of the first documents discovered was the ID card of the chairman of the board of directors of BI Group, Aydin Rakhimbayev, whose wealth is estimated by Forbes at $967 million.
BI Group, however, did not see a problem. The company's press service stated that the documents were posted "in accordance with the established procedure".
MP Yekaterina Smyshlyaeva takes a different view. In her opinion, the individual identification number is a working identifier for digital systems, the ID card itself is a non-public document, and the information security committee of the Ministry of Digital Development, Innovations and Aerospace Industry (MDDIAI) needs to conduct an investigation.
HISTORY REPEATS ITSELF
For the editorial team of FBRK, the story of a personal data leak is nothing new. Back in 2024, we reported that a school in the East Kazakhstan region had published a complete list of employees — along with their personal data — in the technical specification of a tender.
It then became clear that neither journalists nor government bodies could initiate administrative proceedings without a personal statement from those affected. The school employees did not come forward — apparently fearing for their jobs. The headteacher and chief accountant ultimately received a reprimand, and the state audit department found no violations. Meanwhile, it is impossible to remove documents from the portal; once uploaded, they remain there forever.
In this framework, the personal data law functions more as a formality than as a form of protection. To hold those responsible to account, the affected individual must come forward and file a statement. No statement, no violation. This means the state effectively places the burden of protecting their own data on citizens, whose information has often leaked through a government resource itself.
WHEN THE FBRK EDITOR-IN-CHIEF'S DATA LEAKED
In 2025, this story affected our editorial team too, taking on a very personal dimension. The personal data of the FBRK editor-in-chief ended up in the hands of a private company, Sunkar Eavision International LLP — the very company whose drone procurement for the Ministry of Agriculture (MoA) our editorial team had recently investigated. The company filed a police report, accusing the journalist of spreading "false information" for accurately quoting their own price proposal from an official government document.
The question of how a private company obtained the editor-in-chief's personal data never received a clear answer. The data had been provided exclusively to government bodies when submitting official requests, including to the State Inspectorate Committee of the MoA in connection with the investigation into that very drone procurement.
So it appears that a company closely linked to a government body somehow obtained the personal data of a journalist who had directed enquiries precisely to that government body. All of this is, presumably, an absolute coincidence. Be that as it may, the data transfer mechanism was formally framed within the scope of advocacy powers, and the case was effectively closed.
SELECTIVE CONCERN
If you line up these three cases chronologically, the picture is quite telling. A data leak of ordinary teachers through the public procurement portal — an administrative reprimand and silence. The personal data of a journalist investigating government procurement — case closed, transfer mechanism deemed legal. The full scan of the ID card of one of the country's wealthiest individuals — immediate parliamentary reaction and a demand for an investigation.
This is neither a new nor an isolated problem. It is systemic. And so far, none of the measures adopted — from introducing liability for heads of government bodies to tightening requirements for personal data protection and expanding oversight mechanisms — have made this system any safer, especially for ordinary users.