Personal Information Of The Entire Georgia Population Leaked And Shared On Online Forums

31/03/2020

Storing data on the internet for easy access is indeed convenient. But things will go from good to worst if the data is leaked for whatever reason.

This time, it happened in Georgia, the former Soviet republic that is located at the intersection between Europe and Asia.

Known for its Caucasus Mountain villages, Black Sea beaches and centuries-old monasteries, the country had all of its citizens' personal identifiable data leaked to the internet.

The data include full names, home addresses, dates of birth, ID numbers, and mobile phone numbers.

Accounting to more than 4.9 million people, the number exceeds Georgia's population, which is a little less than 4 million, as of March 2020.

The data set was first spotted by Under the Breach, a data breach monitoring and prevention service. It was reported that the data has been shared online through a 1.04 GB MDB (Microsoft Access database) file on hacking forums.

Apple - COVID-19
The leaked database contained records for 4,934,863 Georgian citizens. (Credit: ZDNet)

The reason why the number of leaked data exceeds Georgia's current population is because the records can be dated back to 2011, and because it also include those that have been deceased.

At first, Under the Breach thought that the entire country’s voter database had been stolen from Georgia’s Central Election Commission (CEC). But the CEC said that it didn’t process the data published on the non-named hacker forum, and that the database itself differs from what the election administration has access to, including in terms of data, format and database structure.

What's more, it only had 3.5 million people in its database.

And also because there has been no cyber incident reported to the CEC, Under the Breach started verifying the data, and then shared the findings with ZDNet, which managed to contact one of the people who shared the data on online forums.

At first, the people contacted by ZDNet declined to say where they got the data from. But after ZDNet waved the CEC’s statement, clarified that it wasn’t the CEC, the data-dump sharers started to shine a bit of light into the situation.

They say that the data can be verified on the CEC’s website, but not that it had been leaked from the commission in the first place.

The individual cited a misunderstanding and lack of knowledge of the English language, clarifying that CEC's website could be used to verify the data, and not that the data was obtained from the organization.

At this time, It is unclear whether or not the forum user who shared the data is the one who obtained it.

ZDNet has provided links to the leaked data to the Georgian authorities who are said to investigate the breach.