Important personal data of customers of popular Kazakhstan online stores Meloman and Flower Empire have been exposed in the public domain. The leaked information includes names, phone numbers, delivery addresses, lists of ordered items and customer comments.
According to Bes.media, despite the seriousness of the leak, state bodies, including the Ministry of Digital Development, Innovation and Aerospace Industry (MDDIAI) and the State Technical Service (STS), have not conducted any inspections. According to the departments, they have not received any official appeals from citizens.
"Due to the lack of official appeals from citizens, no inspections were conducted regarding the companies. Consequently, information about the causes of the incident (including technical aspects such as code vulnerabilities, lack of protection, or the use of outdated solutions) is absent," the STS reported.
It has become known that the leak affected orders from the period between 2021 and 2023. Files containing personal data have likely ended up in databases distributed through closed services like "Eye of God."
Meloman reported that no leak has been recorded on their end. According to the company's IT specialists, internal security systems are functioning correctly, and the leak may have occurred through a third-party resource unrelated to Meloman's infrastructure. Journalists were unable to contact representatives of Flower Empire.
In turn, Ruslan Turguldinov, head of the Nomad Guard project at TSARKA GROUP, stated that Kazakhstan has uniform regulatory requirements for the protection of personal data for both state and private operators.
"All personal data operators are obliged to comply with the requirements of the Law 'On Personal Data and Their Protection' and the Law 'On Informatisation', as well as adhere to uniform requirements in the field of information and communication technologies (ICT) and information security (IS). These documents enshrine the mandatory nature of ISO/IEC standards and establish technical measures such as encryption, authentication, and monitoring," the expert reported.
Recall that earlier we wrote about the most large-scale leak of personal data of over 16 million 302 thousand Kazakhstan citizens. The compromised database contains a full range of personal information: full name, Individual Identification Number (IIN), phone numbers, addresses, as well as data from medical and other departmental sources.
It also became known that personal data of the chairman of the board of the state corporation "Government for Citizens," Arman Kenzhegaliev, also entered the public domain.
Later, Deputy Prosecutor General Galymzhan Koigeldiev reported that a criminal case had been opened regarding the large-scale leak of personal data of Kazakhstan citizens.