Authors: Ardit Toca, Maria O'Donnell and Xhuana Çallaku
"We showed him the wolf, they (prosecutors) were looking for tracks"
On April 11 of last year, two weeks before the parliamentary elections in Albania, Lapsi.al reported that there was a breach of personal data of citizens in Albania. This leak released to the public the private information and personal data of nearly 910,000 individuals, almost a third of the entire population of Albania.
Instead of questioning anyone suspected of being involved in the breach, prosecutors chose to investigate Andi Bushati and Armand Shkullaku, the Lapsi.al journalists who broke the news about the data leak.
"The prosecution asked the court to seize everything; mobile phones, computers, servers, USB etc. While the standards (protocols) require that in these cases not only the devices should not be seized, but the access to these devices should also be surgical", said Dorian Matlija, the lawyer representing Lapsi.al. . "With its actions, the prosecutor's office seriously endangered the relations of journalists with the sources, but also endangered the release of other materials of journalists that are not related to the concrete case".
After eight months of government silence, three more data leaks occurred, putting the security of Albanian citizens at risk.
"A proper investigation of the first case would have a deterrent effect on any individual who could misuse Albanian data", said Matlija.
In other words, if the prosecutors had questioned the people who caused the breach and not the journalists who published the news, then the subsequent data leaks that brought the personal data of thousands of Albanian citizens into the public domain might not have happened.
A day later
One day after the first breach of personal data, SPAK, the Special Structure Against Corruption and Organized Crime started investigations. For six months, until October 1 of last year, SPAK investigated this issue.
According to Euronews Albania, SPAK requested that the two journalists of Lapsi.al who published the news submit to him the database of voters they had available, they took their request to the court but in the end the case was dismissed by the Court of Appeal.
On April 23 of last year, the Office of the Commissioner for the Right to Information and Protection of Personal Data published a notice stating that they were "carefully monitoring the situation created by the breach (illegal leakage) of citizens' personal data." . The office said it will issue a report in the near future.
The office released the report just four months later, on August 19. This report specified the extracted information and detailed the actions of Lapsi.al journalists, but did not single out anyone guilty of leaking the data and anyone guilty of using it.
Freedom House's annual report called "Freedom in the World 2022" noted that "critics, including members of the opposition, have accused the SP of stealing data from official government websites and using them to "intimidate ” the voters. The ruling party has repeatedly denied that the database was created or used illegally."
"There may be various cases of data leaks in neighboring countries and also in those of the European Union, but [data leaks] in Albania, in my estimation, is unprecedented," said Erida Skëndaj, Executive Director of the Committee. Albanian of Helsinki.
Edi Rama, the Chairman of the Socialist Party, won the elections and was able to continue his eight-year rule as Prime Minister.
Almost six months after the April violation, SPAK transferred the investigation to the ordinary prosecutor's office.
"At the beginning of October 2021, SPAK informed the media, declaring incompetence (as a reason for the data breach), with the argument that there are no elements of corrupt acts, passing it on to the Prosecutor's Office at the Court of First Instance in Tirana", said Skëndaj.
Even without the prosecution taking over the case, no changes or improvements were announced in the security system of citizens' personal data in Albania.
"The risk is high and permanent (for other data breaches); because ... recently we have seen thousands of complaints, which came from citizens, saying that they were receiving job offers", said System Security Engineer and IT Expert Besmir Semanaj. "This typology paves the way for other attacks as well."
Eight months later
On December 22 last year, eight months after the April data leak, another breach occurred. This time, the data leak exposed the monthly salaries, job positions, names and ID numbers as of January 2021 for nearly 630,000 citizens working in the private and public sectors.
The next day, the salaries of thousands of Albanian citizens for the month of April 2021 were exposed via WhatsApp.
Skëndaj expressed the seriousness of the situation, noting factors such as "the type of administered data, the entities that are suspected of having distributed and further processed this data for certain purposes, the very high number of persons affected by the circulation of these data, as well as the short time, in less than a year, within which these massive leaks occurred."
After the salary leak, Prime Minister Edi Rama appeared before reporters and apologized for the database leak at a press conference on December 23.
"According to a preliminary analysis, it looks more like an internal infiltration than an external cyber attack," Rama said. "I have an idea that this was done to create confusion and enmity between the people and (the government)."
A third data breach occurred on December 24. It contained license plate numbers of 530.452 Albanian citizens and 61.513 banks, businesses and embassies. Even the exact color and manufacturer of the car were listed.
"The biggest risk is the cloning of identities and their use for criminal and terrorist acts... The only choice is to change the cards and the algorithm of their production," said Semanaj.
answer
After eight months and four security breaches of state databases, on January 7 of this year, prosecutors in Albania arrested four suspects for possible theft of personal data of more than 630,000 citizens. These arrests were made for the second and third data leaks, but not the first, in April 2021.
The prosecution said that two of the arrested persons were IT technicians who worked in the office of the General Directorate of Taxes, while the other two had bought the data and worked in the private sector.
"Regarding the leakage of data (salaries, license plates), the Prosecutor's Office at the Court of First Instance of Tirana has mainly started investigations on this issue since the day these data were released. In connection with this case, four people have been arrested, namely the citizens of EQ, AA, KS and EI, who are still under the security measure of "house arrest" and "compulsion to appear", according to the announcement of the prosecutors.
Jones Group
On January 11 of this year, the Albanian government hired the US-based company Jones Group International to help with cyber security.
Prime Minister Edi Rama stated that the government and the group have signed a memorandum of understanding that they will work "to strengthen the security of digital systems".
When asked about the types of work Jones Group does, John Lord, President of Jones Group Europe, said “the Jones Group team provides cybersecurity and information security advisory Services to government and critical infrastructure clients around the world ".
The Jones Group is based in the state of Virginia and was founded by General James L. Jones, former national security adviser to President Barack Obama.
"Our team has completed a wide range of cyber-related projects in energy and information technology, each with different requirements, and we have been successful in meeting our clients' requirements," said Lord. "The Prime Minister, supported by the Council of Ministers and the Assembly of Albania, has already shown an important leadership towards strengthening Albania's cyber security position".
But if it was an "internal infiltration and not an external cyber attack", as stated by Prime Minister Rama, why did the Albanian government hire an external consultant like the Jones Group?
To this question, the National Agency for the Information Society (AKSHI) answered, "the cooperation with Jones International Group is focused on the evaluation of ISO international standards, the drafting of the technical plan at the individual institutional level for cyber recommendations and the implementation of the physical infrastructure which aims to minimize the likelihood of such incidents occurring again.”
Because it was an insider attack, there is concern that it could happen again.
"AKSHI is not an institution whose employees must go through evaluation and vetting procedures, but to have a clearer idea of the applicant's reliability, the list of documentation required for application is the Certificate of Judicial Status and [other] documentation of this nature", says in a statement of AKSHI.
On May 1, Rama announced his cooperation with ANA, saying that the entire country will use e-Albania, a portal created by ANA that allows citizens to access certificates and documents related to public Services. Although the portal had been in existence for many years, this was the first time that all government agencies were required to use it.
US Data Security
The government data breach that affected the largest number of individuals in the US occurred in December 2015, according to Digital Guardian, a data loss prevention software company. It included the leak of voter registration information.
The personal data of 191 million people in the US was released because of a database that was configured incorrectly.
Often, the reason for data leakage is a lack of awareness of data security or human error.
"In the finance or healthcare industry, there are a lot of secure documents that are being circulated publicly, but I think it's mostly just to deal with people who want money or people in a company who aren't educated enough to don't engage in phishing emails [or] scams of this type,” said Kyle Cleaver, Business Development Representative at HelpSystems and an employee at Digital Guardian.
However, in Albania, as Rama said, an "internal infiltration" had taken place.
When asked why these internal infiltrations are less likely to happen in the US, Cleaver said: “The fines [are] increasingly higher if [a company] has outside interference. I know it's good for our companies to deal with this software because…they have to comply with CUI (Controlled Unclassified Information) certificates or they will be fined.”
The Ministry of Infrastructure and Energy in Tirana, asked for how long there is no assessment from any official institution that "the data leak was the result of an external attack", why was it necessary to hastily contract Jones Group for strengthening of the state cyber security framework, the latter did not give a definitive answer, refusing to answer the direct question.
The Ministry did not give an answer to the question of whether there were open procedures for contracting Jones Group and whether there were other firms interested in cooperation.
It has been 4 months since the passing of the special law for the conclusion of the contract with Jones Group and making available to the latter almost all of the cyber infrastructure of the Albanian state, and until today there is no update on the improvement of the infrastructure of security of AKSHI.
In March, US President Joe Biden signed into law the Critical Infrastructure Cyber Incident Reporting Act, to prevent a repeat of cyber attacks like those that occurred in 2015.
“It helps a lot when the government steps in and they're passing all these [cybersecurity] laws,” Cleaver said.
An Internet Future
In a press conference on December 23 last year, after the second data breach in December, Mirlinda Karçanaaj, Director of the National Information Agency of Albania, sat right next to Prime Minister Edi Rama.
Karçanaaj reconfirmed the security of e-Albania, despite the fact that it has nothing to do with data breaches.
Less than five months later, the entire country was forced to use e-Albania.
In other words, after four data breaches in eight months, the National Information Agency decided to put the important documents of Albanian citizens online. This means that family certificates, education registrations, jobs, pensions, permits and licences, transport and vehicles, customs Services and health and social protection are all managed through this portal.
"The people who have had access to the information obtained from the databases have had access to every data that we possess," said Semanaj. "Albanian citizens are totally exposed".
On July 17, 2022, AKSHI announced for the first time about an external cyber attack on its infrastructure and suspended all public Services. Efforts to resolve the emergency situation continue.
