Recent reports about the spread of personal data belonging to nearly 15 million Uzbek citizens on the Dark Web have raised serious public concern. This situation has once again brought to the forefront the issue of the security of state electronic services and personal data.
Although the Cybersecurity Center has announced that investigative work is being carried out regarding this incident, no official conclusions have been announced yet.
Main Authentication Server Reportedly Breached
According to reports, among the breached systems is an OAuth server, considered the main authentication mechanism for government information systems. Access to various state services and user verification processes were carried out through this server.
Sources emphasize that unauthorized access to a number of important state systems became possible precisely through this server.
Among the systems reportedly breached are:
- Information systems of the Ministry of Internal Affairs,
- National Agency for Social Protection (NASP),
- National Statistics Committee (STAT.UZ),
- Important platforms such as the Uzbekistan Mortgage Refinancing Company (UZMRC.UZ) are being mentioned.
What Kind of Data May Have Been Leaked?
It is stated that among the leaked data are citizens':
- Full name,
- Date of birth,
- Residential address,
- Phone number,
- Email address,
- Passport details, and other personal information. There are also reports that passport copies, medical documents, sick leave certificates, and personal photographs have been published.
It is reported that hackers have displayed the complete personal data of thousands of citizens on the Dark Web to prove the authenticity of the information.
Hackers Offered to Sell the Data
According to a report published on the Kurbanoff.net Telegram channel, the stolen data pertains to 2023. The hackers have indicated they are prepared to sell this database for 200,000 euros.
They also claim to have contacted employees of the Uzbekistan Cybersecurity Service — UZCERT — 5 days ago.
What is the Official Stance?
The National Agency for Social Protection announced on its Telegram channel on January 31 that due to preventive work being carried out on the "Unified National Social Protection" information system, there may be interruptions in some services provided via my.go.uz until February 2 at 5:00.
The National Statistics Committee, in its statement, emphasized that citizens' personal data related to registration is stored securely and there is no possibility of it leaking to external sources.
What Does the Legislation Say?
According to the Law of the Republic of Uzbekistan "On Personal Data," the state guarantees the protection of citizens' personal data. Disclosure or dissemination of this data without the subject's consent is prohibited.
This incident, however, indicates that there may be serious vulnerabilities in ensuring cybersecurity within state information systems. The final investigation results from official authorities are awaited.
