CECCAR - Data Breach

Official Publication: ENTRYRISE S.R.L
Scope: Public notification on data breach and incorrect handling of breach
Date of the breach: September 7, 2023

BREACH Details:
- Over 50.000 private individuals personal details, including names, personal identification numbers (CNP), sex, birth date, birth place, address, PO box address, phone number, mobile phone number, email address, phone address, website, authorization number, "APEA", citizenship, professional details, and more.

RISKS:
- Identity Theft
- Misuse of credentials
- Fraud and money laundering through identity theft (Such as taking online loans)
https://www.linkedin.com/in/stefan-deleanu-94036417b/
https://www.facebook.com/stefatorus
MAIL: OFFICE@INCORPO.RO

Update #1: 01/06/2024 00:48

Release Details

On September 7, 2023. CECCAR, the Romanian accounting association, has suffered a major breach involving all expert accountants and authorized accountants.

With the following information made public:

  1. Full Name: Identifying the individual members.
  2. Personal Numeric Code (CNP): Unique identifier containing sensitive data, such as birth date and gender.
  3. Address: Either office or home addresses.
  4. Date and Place of Birth: Including specific locality, adding to personal identification.
  5. Mobile Phone Numbers: Some instances include landline numbers.
  6. Mailing Address: Different from the residential or office address.
  7. Data related to Registration in CECCAR: Intended for public display, but still sensitive in this context.
  8. Personal Identification Number (CIP): Another unique identifier.
  9. Citizenship: This could be sensitive as it might indicate ethnicity.
  10. More

Vulnerability Difficulty very low

The vulnerability was one that allowed the access of privately identifying data directly through the browser.

Notification attempt and official response

The DPO, as well as the official contact address of CECCAR, was immediately notified with details including the extent of the breach, steps to reproduce the issue, and potential solutions.

Common behavior shared by the Bar Association (UNBR):

We have BCC-ed the national data protection agency to ensure that the breach is properly notified since previous reports related to a similar vulnerability leading to the leaking of all PINs (CNPs) of lawyers registered at a bar went similarly unreported.

The full extent of the report can be viewed here (Email Download - PDF):

Reply from CECCAR DPO

The Data Protection Officer of CECCAR, from http://daikokuten.ro/, notified us that all of the required measures will be taken to properly disclose the vulnerability post-resolution and inform the national data agency.

Steps taken

The vulnerability has been marked as resolved on our validation on the 10th of September, with the technical team removing the personally identifying information from the endpoint.

We believe this has fully resolved the breach.

Breach Period

While we were unable to validate the extent of the vulnerability, we believe the breach existed for at least 6 months, having identified the vulnerable program to have been accessible since 2021.

Risk assessment and CVSS details

The vulnerability was assessed based on criticality, impact, and exploitability using the CVSS scoring metric, with an estimated CVSS Score of:

  • CVSS Base Score: 7.5/10
  • Impact Subscore: 3.6/10
  • Exploitability Subscore: 3.9/10
  • CVSS Temporal Score: 7.2/10
  • CVSS Environmental Score: 7.2/10
  • Modified Impact Subscore: 3.6/10
  • Overall CVSS Score: 7.2/10

Reply from the National Institute of Transparency, Access to Information and Protection of Personal Data

The national data protection agency has not been notified of the breach by the Data Protection Officer of CECCAR, in compliance with the legal requirements.

On January 3, 2024, the ANSPDCP notified us that they were unable to find the vulnerability and requested proof. Proof was provided, including all the data that was leaked by CECCAR.

INCORPO.RO - OFFICIAL RELEASE

We believe that everyone should be aware of the extent to which their data is processed. While we are pro-processing and are ourselves a platform that uses analytics to help shape our products, we believe this should be done responsibly and with proper disclosure.

The behavior of CECCAR, which decided to hide the vulnerability instead of notifying them, is proof of malicious activity on their behalf, and the attempt to hide their inability to protect this information.

With a similar breach being swept under the rug by the bar association in Romania, in relation to a previous notification, we've decided to notify the individuals ourselves to prevent the concealment of the data breach.

Check if you were breached in the CECCAR data breach:

We have emailed all of the affected individuals with a comprehensive report on the breached data.

However, due to the lack of trust and awareness (we are a private entity) surrounding the breach, we decided to create a tool to help individuals safely realize they have been breached.