Data Breach - National Office of Trade Registry (ONRC)
Publicație Oficială: ENTRYRISE S.R.L
Scop: Notificarea societății civile cu privire la existența informațiilor în spațiul public
Momente cheie:
- Identificare vulnerabilități: 26 Iulie 2024 - 27 Iulie 2024
- Tentativa eșuată de soluționare și re-lansare: 27.07.2024
- Data formulare critici tentativa: 21:38 PM, 27.07.2024
- Soluționare efectivă a problemelor: 30.07.2024
Detalii Breșa:
- [Momentan confidențiale]
Riscuri:
- Furt de identitate (Peste 3.000 persoane vulnerabile, toate persoanele care au efectuat plăți pe platforma până în 28.07.2024 + Toate persoanele fizice care au fost vreodată insolvențe)
- Risc de profilare automata pe informații cu privire la situația financiară a persoanelor care au fost vreodata insolvente in Romania.
- Divulgare informații nedestinate publicității cu privire la toate societățile comerciale, existența contracte notificate spre ONRC.
- Compromiterea confidențialității și integrității unui set restrâns de date referitoare la toate societatile din Romania nedestinate publicității largi, cu impact redus asupra secretului comercial și avantajului competitiv.
- Divulgarea tuturor părților în contractele de închiriere, comodat, vânzare notificate spre ONRC.
Incident Details Video Clip:
The MyPortal platform of the National Trade Register Office (ONRC), designed to facilitate digital interaction between entrepreneurs and the institution, has revealed a series of critical vulnerabilities that exposed the personal data of thousands of users, as well as over 1 million companies.
Beyond the evident technical issues, this incident reveals deep deficiencies in how public institutions in Romania approach cybersecurity and raises serious questions regarding the accountability and transparency of authorities in managing such situations.
A system built on weak foundations
Our investigation revealed that the MyPortal platform was built on shaky foundations, disregarding fundamental security principles and exposing users' sensitive data to unacceptable risks.
Missing authentication and access control for calculation notes:
Anyone can access the spreadsheets of other users simply by modifying the URL, without the need for authentication. These spreadsheets contain sensitive data such as personal identification numbers and addresses.
Disclosure of the personal identification numbers of insolvent individuals:
The endpoint /bpi-published-persons/pf
dezvăluie CNP-urile tuturor persoanelor fizice în stare de insolvență, alături de nume și prenume, la o simplă interogare cu o vocală.
Excessive disclosure of information through the "INFORMATION - FILE STATUS" function:
The use of this function reveals a wide range of potentially sensitive information about companies and authorized individuals, including contact details, financial information, and back-end infrastructure specifics.
The problem persists across multiple endpoints and reveals:
- Contact details of company representatives, submitted through requests to the National Trade Register Office.
- Information about companies or authorized individuals, including company activities, number of shares, registrar in the case, duration of the company, insolvency status, etc.
- Contact phone number, fax number, possible email declared to ONRC,
- All declared workplaces with ONRC,
- all information regarding the rental of the space, the effective date and expiration (duration) thereof, rental provider (including individual),
- details of back-office infrastructure, details of documents submitted by individuals, details of involved registrars (BERC clone), details of acts and their classification level (?)
Obtaining documents free of charge due to lack of validation:
The system allows the generation of documents such as certificates and insolvency procedure bulletins without verifying payment, enabling access prior to the actual payment for services.
Acceptance of blank or irrelevant documents:
The platform allows the upload of empty or irrelevant PDF documents, signed electronically, instead of the requested ones, automatically approving them without proper checks. The only validation was based on the name of the uploaded file, which had to match that of the generated document.
These vulnerabilities, repeatedly demonstrated through screenshots, demonstration files, and video recordings that we have provided to the authorities, are symptomatic of a systemic issue in the development and management of government digital platforms.
Risks and Implications: Beyond the Technical Aspects
Beyond the purely technical aspects, the vulnerabilities in the MyPortal platform have profound implications for the security and trust in the digital services provided by the state.
The exposure of personal data facilitates crimes such as identity theft, fraud, and the abusive use of information for illicit purposes.
Moreover, such incidents undermine citizens' and businesses' trust in public institutions' ability to protect their data and provide secure digital services.
Finally, the investment of 5,500,000 RON for the implementation of automated testing and security auditing of the platform does not seem to come with an effective service:
The authorities' response: Quick and efficient
Although we promptly reported the discovered vulnerabilities to the ONRC, the National Cyber Security Directorate (DNSC), and the National Authority for the Supervision of Personal Data Processing (ANSPDCP), the authorities' response was swift but initially ineffective.
Despite the temporary closure of the platform for repairs for a few hours in hopes of resolving the issues, security problems persisted, and a video in which I severely criticized the response was needed to elicit a serious reply:
For example, subsequently, after the first attempt at resolution, the ONRC only removed the blue download button, without blocking the API endpoint that actually downloads the file:
The video clip was created to raise an alarm and highlight the need for decisive and transparent measures from the authorities.
The comparative response speed in other CVDs reported by us, ONRC, and DNSC has moved much faster, which we consider to be caused by reporting to multiple key institutions, thereby generating a strong signal regarding the severity of the issues.
The timeframe for addressing vulnerabilities was approximately 2-3 days.
A call to action and responsibility
It is time for the Romanian authorities to treat cybersecurity with the seriousness it deserves. Beyond the technical aspects, a fundamental change in mindset and accountability at all levels is needed.
Public institutions must give absolute priority to the security of personal data and allocate the necessary resources for the development and maintenance of robust and secure digital platforms.
Additionally, transparent and proactive communication with the public is essential in the event of security incidents to maintain citizens' trust in government digital services.
Beyond the technical aspects, there is also a need for legislative reform to establish a clear framework of responsibilities and penalties for institutions that fail to protect citizens' data.
Only through firm measures and real consequences for those who neglect cybersecurity can we hope for a genuine change in approach. If the culpable public official is not sanctioned, the only one losing will be the public institution, and consequently, the citizen who now has to tolerate higher taxes; the problem will not be resolved. Post-factum analysis of cases must be implemented, along with appropriate sanctions/measures to prevent the recurrence of the same errors.
Conclusions: Lessons to be Learned
The vulnerabilities discovered in the MyPortal platform of ONRC are a symptom of a larger issue - the neglect of cybersecurity in government digital services.
We hope that this incident serves as a wake-up call for the Romanian authorities, highlighting the need for a proactive, responsible, and transparent approach to cybersecurity.
A paradigm shift is needed in how public institutions handle citizens' data security. Only by prioritizing cybersecurity, appropriately allocating resources, ensuring accountability, and maintaining transparent communication with the public can we hope to restore trust in government digital services and create a safe online space for all Romanian citizens.
As a company, we have the duty to hold accountable the institutions that represent us and to ensure that our rights in the digital age are diligently protected.
We hope that by detailing these vulnerabilities and highlighting their implications, we will encourage a constructive dialogue and prompt concrete actions to improve cybersecurity in Romania.
Attached documents:
Notification of the issue
Public procurement platform details (30,000,000 EUR +)
These materials form the basis of our initiative, and we hope they will serve as a starting point for an honest and productive discussion about cybersecurity in Romania. It is time for action, transparency, and accountability - and this begins with acknowledging the issues and a firm commitment to addressing them.
Public procurement details:
Advice & Recommendations, Opinions:
Are there any issues with the ONRC before the platform launch?
I believe so. According to the terms and conditions that I obtained directly from the platform's source code and reconstructed in LaTeX (the original text, reformatted by ClaudeAI). The entire reconstructed document is located in the attached documents section.
Your "Terms and conditions for online access to BPI services"data-mined from the source code (I haven't seen if it is present and active on the platform, but it proves that the platform's issues were known)
Additionally, ONRC had contracts with 2 testing entities, the second for a smaller amount, 50,000 RON, designated as a "technical audit," from a company that conducts pentesting. Does ONRC realize that the first service was poorly executed?
How to keep your data safe?
Once your data becomes publicly accessible, the number of phishing/spear phishing attacks you receive increases. Therefore, use the following steps to identify if something is a phishing attempt:
Compensation & State Sanctioning:
Personal data is protected by both GDPR and local legislation. Since it is possible that your personal data may have been accessible or even accessed (in some cases) by third parties due to the ONRC platform's fault, I recommend that you consult with a lawyer, because in my opinion (as a non-lawyer), civil liability for tort may be incurred due to negligence:
- National Table - Lawyers IFEP.ro inaccessible as of the publication date: https://www.ifep.ro/Justice/Lawyers/LawyersPanel.aspx
- Lawyers' Table - Cluj Bar Association: https://www.baroul-cluj.ro/the-board-of-lawyers/permanent-lawyers/
- Lawyers' Table - Bucharest Bar Association: https://www.baroul-bucuresti.ro/tablou
Updates:
Update #1: A surprisingly good response from ONRC
When I submitted the complaint to the ONRC, I didn't expect much. My previous experiences with public institutions made me cautious in my expectations. However, this time, I was pleasantly surprised.
ONRC responded promptly and, to my surprise, in a very professional manner. They directly addressed the reported issues, confirming that they had conducted checks and taken action. Furthermore, they mentioned that they continuously monitor the portal and are open to feedback.
What impressed me the most was the tone of the response - respectful and very decent. It is rare to see a public institution thanking for feedback that involves serious issues and showing a genuine concern for improving services.
Although a single good response does not solve all the system's problems, it is an encouraging sign. It shows that there is potential for better communication between institutions and citizens. It is a promising start, and I hope to see more examples of this kind in the future.
Update #2 - Response from the Minister of Research, Innovation, and Digitalization
An encouraging response also came later from MCID, which has started to get involved in resolving the issues of the MyPortal.ONRC.ro platform.