Over the past two months, Moscow has issued tens of thousands of fines to local residents for violating the city’s coronavirus self-isolation restrictions. Thanks to weak cryptographic security, the personal data of those ticketed is now available online.
The blog Nora Ezhika first drew attention to the data leak on May 12, reporting that the city’s web portals for paying quarantine fines makes it easy to discover people’s full names and passport numbers. All that’s needed to obtain this information is the specific ticket number. “Under no circumstances ever share screenshots of your tickets showing your unique ticket number!” warned the blog.
In fact, people’s private data is accessible even if they haven’t published their ticket numbers. Information security expert Alexey Drozd told the newspaper Kommersant that simple brute-force attacks are capable of finding real ticket numbers (which consist of 20-25 characters) and then mining individuals’ data. Ashot Oganesyan, another data expert, told Kommersant that Russia’s ticket-payment websites are rarely protected against exhaustive key search.
Update: Moscow Main Control Department head Evgeny Danchikov denies that brute-force attacks are capable of guessing ticket numbers and claims that people are only at risk of losing personal data if they themselves share photos of their ticket numbers.
Moscow’s Department of Information Technology told Kommersant that online payment portals for quarantine fines are outside its purview.