Estonia data protection officials urge for more data privacy caution


The Information System Authority (RIA) in Estonia has called upon its citizens and businesses to take data protection and privacy more seriously.

The official advisory comes after numerous reports in the Baltic nation, after a series of incidents involving hackers getting through Estonian retailers’ cyber defences to steal customers’ personal information.

Head of cyber-security at RIA, Uku Sarekanno, said:

“People should think carefully about what data they provide and to where, because after providing it they no longer control their data. Our recommendation for businesses is to regularly test the security of your online environments and other systems, regularly identify and patch software weaknesses. All this is many times cheaper than dealing with consequences later.”

In the last two weeks, the RIA received notification from one municipal organisation and two companies about private data being exposed on the internet. The incidents have collectively compromised the data of at least 34,000 individuals and 100,000 confidential transactions.

The breached internet stores included and Bewegen, as well as corporate clients of the fuel retailer, Olerex.

Sarekanno said:

“According to initial estimates, the data was public as a result of human error. RIA however did start supervision proceedings with regard to all three parties to find out whether their information systems are sufficiently protected.”

“As we have learned, what leaked was the name and the personal identification code of corporate clients, credit card data was not accessible. This doesn’t mean that the data of 100,000 persons was accessible, but of 100,000 transactions at pump. We do not know the exact number of clients whose name, personal identification code and card limit could be found on the internet,” he added.

Regarding Olerex, the past six weeks’ worth of data transactions became exposed in a data leak which was eventually shut down on 9th July.

“It was possible to find this data when knowingly searching for it, it was not that no matter who would come across it. The security weaknesses were probably searched out by a robot which tried to get into different databases. We also know that this data was in fact downloaded,” Sarekanno continued.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.