Information has appeared on Reddit that data, presumably from the information systems of government institutions in Uzbekistan, has been posted on the dark web. According to Gazeta.uz, this information may contain personal data of 15 million citizens.
The State Unitary Enterprise "Cybersecurity Center" commented on the situation, stating that an investigation into the data leak has begun.
“Messages on social media indicate possible leaks of personal data of citizens of Uzbekistan from government information systems. We are currently analyzing the incident and will provide additional information based on its results,” the center reported.
On a specialized forum discussing cases of leaks and the sale of stolen information, it is claimed that the OAuth server, which is a key authentication system in the state, has been hacked. This jeopardizes all websites and systems that use it as a trusted source of authorization, including universities, political parties, utility payment platforms, law enforcement agencies, and the personnel system of the Ministry of Internal Affairs.
The OAuth server played an important role in the digital government system for user identification. Preliminary data suggests that the hack may have led to the theft of data from more than 15 million people.
Additionally, the system of the National Agency for Social Protection (IHMA), which stored citizens' medical data, has also been compromised. The data leak related to the Ministry of Internal Affairs (IIV.UZ) is also linked to the incident with the OAuth server. Similar issues have affected the systems of the National Statistics Committee of Uzbekistan (STAT.UZ) and the Mortgage Refinancing Company of Uzbekistan (UZMRC.UZ).
Among the leaked data are:
- first and last name,
- residential address,
- date of birth,
- phone number,
- email address,
- passport number.
The hacker group, to confirm the authenticity of their data, published personal information of many citizens. The publication Daryo.uz reported that they have files containing complete data of citizens, including copies of passports, sick leave certificates, and photographs.
The Telegram channel Kurbanoff.net clarified that the data pertains to the year 2023.
On January 31, the National Agency for Social Protection announced preventive work in the "Unified National Social Protection" system. As a result, users may have experienced disruptions in electronic services on the portal my.gov.uz starting from 5:00 AM on February 2.
The National Statistics Committee, in turn, assured that there are no grounds for concern regarding the security of citizens' personal data related to the census.
“The data is protected in accordance with national information security requirements, and its leak through external sources is impossible,” their statement emphasized.
It was also noted that during the census process, citizens' photographs were not uploaded to the database.
