A technical glitch caused the data leak from technology company ZZ Dats. It allowed potentially malicious players to copy data from the Unified Local Government Information System over several days. The incident directly affected all Latvian municipalities except Riga. However, it is not yet known exactly how many people's data were accessed.
"We apologize to everyone who has been affected by negative emotions or experiences. But I would like to stress that this has not created any new risks," said Edžus Žeiris, CEO of ZZ Dats.
According to Žeiris, only a relatively small part of the data available to the company was leaked. The data has not been corrected or deleted, which means that municipalities can continue to use existing systems safely.
The information technology security incident response body Cert has also been informed of the situation and, following the incident, has assessed whether there are any other systems in the Latvian internet system that could be exposed to such a risk.
"We have found 10 or 11 [bugs]. Fortunately, there are none [that] could be considered essential for the information system. Mostly in the private sector. We have already contacted all these private sector representatives to have it removed from such extended access," said Varis Teivāns, deputy head of Cert.lv.
What can the bad guys do when they get personal data? The DVI said that they can be used by internet or phone fraudsters to create an extended profile of their potential victim. There is also the theoretical possibility of trying to impersonate the person by corresponding with others. However, it is not possible, for example, to borrow money in someone else's name.
"Of course, we don't know what people who have such negative, illegal intentions, their imagination is also big enough. For example, taking out a loan - in the past maybe it could be done, now the companies themselves that give loans have introduced many measures to ensure that they really check whether it is the same person who is taking out the loan or not," said Jekaterina Macuka, head of the DVI.
Also, such data could be sold on the black market, where it could again be used for fraud attempts.
"So people need to be careful about who they speak to, where they click, and what they do," added Macuka.
Both companies and public authorities can be fined for data leaks if they are found to be in breach.