Personal data of Arman Kenzhegaliyev, Chairman of the Board of the state corporation ‘Government for Citizens’, has been leaked into the public domain. Kenzhegaliyev was among 16 million Kazakh citizens whose personal information became accessible as a result of the latest large-scale data breach, reports the Telegram channel ‘Access to the Sea’.
Analysis of the breach suggests the incident likely occurred last year. Experts believe it may have been caused by semi-open APIs in government services, vulnerabilities in poorly configured systems, or unauthorised exports from integrated databases. The nature of the leaked information indicates that the source is government agencies.
The following data of Arman Kenzhegaliyev was included in the leak:
- full name and date of birth,
- Individual Identification Number (IIN),
- several registered addresses, including one near his place of work,
- passport number and date of issue,
- identity card number,
- nationality details,
- information about close relatives,
- marriage registration dates (and for others, divorce dates),
- mobile phone number.
The Ministry of Digital Development stated that it is conducting its own investigation and claims that ‘most of the information is outdated’. However, a review of other public sources shows that Kenzhegaliyev's phone number has remained unchanged since 2011. He used this number to register with the service mail.ru, make purchases at the Russian chain ‘Sportmaster’, and use ‘Yandex.Eda’.
According to the Telegram channel ‘They Are Already on Their Way’, the Minister of Digitalisation, Zhaslan Madiyev, confirmed that there have been no new data breaches involving Kazakh citizens.
‘All this data is dated before 1 May 2024. There have been no recent leaks,’ he said.
Earlier, as a result of another breach from the ‘Damumed’ system, medical information about the Chairman of the state corporation was also made public: name, date of birth, IIN and records of visits to a medical facility.
Analysis of the available information shows that the largest number of leaks are linked to government services. No confirmed cases of compromised bank details, including card or account numbers, have been recorded. This contrasts with the situation in Russia, where bank customer data sometimes enters the public domain.
In so-called leak aggregators, one can find old data on Kazakh citizens relating to administrative and criminal cases, as well as personal information previously exposed online through Russian services. These sources include: the courier service CDEK, Wildberries, the payment system ‘Unistream’, mail.ru and ‘Yandex’.
The data breach incident involving a high-ranking official responsible for the country's digital infrastructure highlights systemic problems with personal information security. At the same time, the question remains: will effective measures be taken to eliminate such risks, and will users be able to trust state digital platforms in the future?
Earlier we reported on the largest ever leak of personal data involving over 16 million 302 thousand Kazakh citizens. The compromised database contains a full range of personal information: full names, IINs, phone numbers, addresses, as well as data from medical and other departmental sources.