After a cybercriminal published this Tuesday a file for sale with images of the front and back of 5.7 million Argentine driver’s licenses, and another user uploaded Renaper records, the question about what risks it implies for those affected It is one of the most listened to: Why is it dangerous for personal data such as document, address and full name to be leaked? What can be done with specific information in the records, such as signature, blood type, and whether or not the driver is an organ donor?
The leaks, or “leaks” as they are known in the cybersecurity environment (as they say in English), they imply that internal information of a State, company or entity, which is not intended to be public, is made known. There are different types of leaksof lesser importance, to more dangerous ones.
Now, during the last three weeks, Argentina was the protagonist of major leaks. The first occurred at the beginning of the month, when a cybercriminal gave away in an underground forum and Telegram photos of Argentines extracted from a system related to Renaper. The second was when the same user uploaded a database of Nosis users, a widely used site that offers “strategic citizen information” and includes addresses, documents, telephone numbers and other data such as employment relationships and financial records. And this Wednesday another one from Renaper appeared.
This week it was the turn of a driver’s license database, and the attacker launched a provocation to the President of the Nation, Javier Milei, and the Minister of Security, Patricia Bullrichby exposing its licenses in the sample file it sells.
What can be done with this information? What type of severity is it?
What dangers are there with this license leak?
Asked about this specific case, Alejandro Botter, Security Engineering Manager of the cybersecurity company Check Point, listed the type of problems that are unleashed with a leak.
“In terms of the impact of information leaks, the first and most common is usually the financial one, where it happens that the cybercriminal impersonates the person and hire services or request a loan in the person’s name. The second point is the damage to the reputation of the companies and entities that have information about the affected people, calling into question how the current management of that information is being done,” he explained.
“In reference to these recent information leaks, it must be mentioned that we are entering a new era of identity theft or impersonation. What the cyber attacker does is put together a puzzle with all this available information, which is why these leaks constitute a great source, achieving greater effectiveness. In combination with the above, one of the trends for 2024 is the increase in deepfake attacks, where the cybercriminal copies image and sound, being able to generate even the voice and face of the victim,” he added.
“The third and not least, is the emotional impact on people, where financial loss or invasion of their privacy by viewing their public information can carry a significant emotional burden,” he added.
There is also the risk of falling into “SIM swapping”: “One last case that I would also like to mention is the attack known as ‘SIM Swapping’, in which the cybercriminal impersonates the victim’s phone, which has passwords that “They are sent by SMS, access to social networks or messaging tools such as WhatsApp.”
“In SIM Swapping, identity theft is key for the company that provides that telephone service and there we have a connection with all this information leak: the more information you have about that person, the easier it is for you to do “that identity theft,” the analyst concluded.
David Perez, Cybersecurity Service Manager at Security Advisor, agreed with this, and listed the type of risks that citizens run with these leaks.
- Privacy Breach: Data leakage can lead to the exposure of sensitive personal information such as financial details, medical records or personal communications, leading to violations of individuals’ privacy.
- Identity theft: Stolen personal information can be used for identity theft, fraud, accessing financial accounts or carrying out illegal activities.
- Financial losses: Data leakage can lead to financial losses for individuals if their financial information is compromised and used to make unauthorized transactions.
- Reputational damage: A country that suffers widespread data breaches can damage its reputation as a safe place to live and do business.
- National Security Risks: Where appropriate, data leaks can also pose national security risks if sensitive information related to government activities is exposed to unauthorized parties.
- Legal consequences: Data leakage may lead to legal action against the country or entities responsible for the breach.
Finally, there are two pieces of information whose publicity presents a more worrying situation. “The leak of the signature is what is really serious about this case. Together with the information about whether the driver is an organ donor or not, these are two really worrying pieces of information,” said a source specialized in threat analysis.
Personal data and sensitive data: the difference
A distinction that must be made is What is personal data and what is sensitive data. Not all personal data is sensitive, but, as far as citizens are concerned, sensitive data is a specific type of personal data.
“Sensitive data is data that refers to a person’s intimate sphere and whose use, without the consent of its owner, may give rise to discrimination or violate aspects of their privacy. Article 2 of Law 25326 defines sensitive data as that which denotes racial and ethnic origin, political opinions, religious, philosophical or moral convictions, union membership and information regarding the health or sexual life of the owner of the data,” he explained to Clarion María Luján Gallego, lawyer at the Brons & Salas firm, specialized in Data Protection.
“Personal data is any data through which a person can be identified, such as, for example: name, surname, address, telephone number, email, among others,” he added. The licenses have full name, address, date of birth, signature, blood type and if the driver is an organ donor.
In the case of this leak, “the license contains certain personal data, which could be considered sensitive, because it is medical data, What is the blood group and factor?”, he assured.
The responsibility of the State in the face of leaks
“It is very important that citizens’ personal data be safeguarded. Each leak not only compromises individual privacy, but can also undermine trust in institutions. Protecting data, in addition to an ethical duty, It is today a necessity to avoid risks such as identity theft, the manipulation of sensitive information and the potential damage to national security. Guaranteeing data security means protecting the integrity of society as a whole,” added Perez from Security Advisor.
Regarding what responsibility falls on the State, Gallego explained: “The State turns out to be responsible for not having robust computer security measures, for the purposes of preventing this type of crime. It is evident that the State must take cybersecurity seriouslyimplementing security measures in order to prevent and mitigate risks, in pursuit of the safety of citizens.”
Curiously, the attacker who leaked the driver’s license data agrees with this. Asked why he leaked the data, he assured: “It is so that Argentina changes its course and takes cybersecurity seriously.”
This latest license leak, along with the new one from Renaper, make up one more case of data neglect in Argentina. Although this problem is not only local, as governments such as the United States have had unauthorized access to their databases, our country has thus added a new incident.
Just to remind some, in March 2022, a well-known ransomware group, Vice Society, published 30 thousand files with internal information from the Senate of the Nation. That same year, in September, the Buenos Aires Legislature was attacked by another well-known underground group (Play).
Unlike these cases, both the one with the 115 thousand photos of the Reappear as Nosis and now these driver’s licenses were leaked by a single user and not an organized group.
The penalties for these crimes that Argentina establishes for these cases range from one month to two years, according to article 32 of law 25,326.