The TSARKA Cyber Attack Analysis and Investigation Centre has confirmed the leak of personal data belonging to 16,302,107 Kazakh citizens. The compromised database contains a full range of personal information: full names, Individual Identification Numbers (IINs), phone numbers, addresses, as well as data from medical and other departmental sources.
As reported by TSARKA, the incident has been unofficially named "Residents of Kazakhstan 2024". According to TSARKA Group Vice President Yenlik Satiyeva, the scale of the leak covers virtually all of the country's population.
Particularly alarming is that the data includes almost complete personal details:
- surname, first name, patronymic;
- date of birth and gender;
- Individual Identification Number (IIN);
- phone numbers (mobile, work, home);
- residential address, citizenship and nationality;
- address verification status and date of residence commencement.
Analysis of the contents shows that most of the data dates back to 2022, but information from 2023–2024 is also present, indicating the relevance and "freshness" of the leaks. The archive weighs 799 MB when compressed, and the internal file is a CSV over 7 GB in size. In total, the database contains 15,851,699 unique IINs and 16,901,555 phone numbers.
According to experts, the source of the leak could be either mass data collection via public or semi-open APIs, or vulnerabilities in incorrectly configured services that return personal details — full names, IINs, phone numbers — in response to an ID query. The possibility of an erroneous data dump from integration systems is also not ruled out. Analysis and precise identification of the leak channel are ongoing.
The press service of the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (MDDIAI RK) has commented on the detected personal data leak. Citizens whose data was included in the leak will be notified via the personal account of the state service eGov. The state body stated that the data leaked from private information systems, refuting assumptions about the compromise of government databases.
"The Information Security Committee under the MDDIAI RK, together with relevant law enforcement and special agencies, is conducting a comprehensive investigation, including an analysis of the relevance of the data provided. It should be noted that the initial analysis points to a possible origin of the information from private information systems. No hacker attacks or leaks of personal data from state information systems have been recorded to date," the statement said.
The incident represents a serious threat to the information security of citizens, as the data leak opens up opportunities for fraud, including targeted attacks on vulnerable population groups.
For context, in May, the Ministry of Digital Development, Innovations and Aerospace Industry (MDDIAI) commented on information about the leak of Kazakh citizens' personal data following a publication by Majilis deputy Murat Abenov. He emphasised that Telegram bots are unrestrictedly disseminating personal information about citizens, including IINs, addresses, phone numbers and data about family members.
Incidentally, a new service called Nomad Guard, designed for checking personal data security, recently appeared in the eGov Mobile app.
In March of last year, Kazakh citizens received notifications about a leak of their personal data in the eGov Mobile app. Notifications were also sent to those who had never taken out loans from MFOs (Microfinance Organisations).