By Lina Giannarou, Yiannis Souliotis & Prokopis Hadzinikolaou
The cases of leaked personal data that have been reported over the past few months are just the tip of the iceberg, according to experts who say that the sale of private information such as the tax records of unwary citizens has become a multimillion-euro business and is taking place right under the noses of the Greek authorities. The crisis, they add, has also led to lax security regarding public service and ministry databases, meaning that the phenomenon is most likely to see an additional rise.
From the Lagarde list and the off-the-books accounts of high-ranking civil servants, to the catalogs of the Athens Bar Association and the database of a vehicle inspection center (KTEO), there is no end to the gold mine of personal information that is available to the skilled hacker or audacious briber.
Entire companies, as well as individual “entrepreneurs” can put together information gleaned about an individual’s personal habits, finances and social activities to create a profile that can be used for product or service promotion, as well as more nefarious goals.
The demand for personal data is so great that companies are opening up all over the country dealing exclusively in their collection and “management.”
“In short, they buy and sell CDs of information,” a source in the business, who declined to be named, told Kathimerini.
These companies claim that the information they collect is on public record, such as from the Athens Doctors’ Association or the telephone book. However, according to the regulations of the Authority for the Protection of Personal Data, even when information is a matter of public record, the person to which the information belongs must give his or her consent before it is disseminated.
According to Vassilis Sotiropoulos, a lawyer who specializes in personal data protection, the collection of such information is allowed without the consent of the subject only when the subject is a public figure and is for the purpose of journalism or for conducting a criminal investigation.
“Even then you would need the authority’s approval,” said Sotiropoulos, adding that “under no circumstances would permission be given to a data collection company. Overall, Greek legislation is very strict about such matters.”
Special permission from the authority is also necessary for the collection and use of sensitive personal information, such as medical records, said Sotiropoulos, while an Athens court last month ruled in favor of a man who had filed a suit against his bank because it shared his personal data with a debt collection company without first getting his approval.
The crisis has given new momentum to the business of selling data, with tax records leading in popularity, according to experts, who say that indebted households and individuals are increasingly being targeted by collectors and other potential creditors using confidential data to gauge their approach.
The crisis, experts add, has also created a massive gap in security.
“The public sector is in a dramatic state in terms of security systems,” the CEO of security firm Obrela, Giorgos Patsis, told Kathimerini.
“As though the problems of overlapping responsibilities for security between ministries and poorly trained employees were not enough, the crisis has pushed security down to the bottom of the list of public services’ priorities,” Patsis said. “For example, there hasn’t been a single competition for companies to provide a data security system for at least two years in the state sector.”
Patsis says that almost anyone with the right know-how can infiltrate the databases and records of public services and download as much information as they want.
“And it’s not just the problem of hackers either,” said Patsis. “In fact, public records are most at risk from human error. All someone has to do is leave a door open and crooks can get their hands on valuable records.”
Cost of information from 200-1,000 euros per item
Officers working for the police’s electronics crimes squad say that the biggest case of private data theft they have cracked was earlier this month in Dafni, eastern Athens, when they arrested a man who was in possession of over 100 million records pertaining to individuals and companies.
The 59-year-old suspect has pending convictions over tax evasion, while authorities are also seeking his 31-year-old son, who was the president of the company for which the data collection was taking place, as well as a 35-year-old computer technician who worked for them.
Another suspected accomplice was also arrested in Exarchia on January 16.
The records found by officers in the Dafni offices of the company, which had a staff of 38, are believed to have come from the ministries of Finance, Transport and Interior, while the number of records is estimated at 110-120 million. Among the information siphoned from the Finance Ministry’s General Secretariat of Information Systems are the names of people who owe money to the state and property owners, as well as millions of property registration and income declaration codes. From the ministries of Interior and Transport, the company was able to get detailed information pertaining to registered car owners as well as registered voters.
The data were stored in three separate servers and could be cross-referenced, while any of the employees could type in the name of an individual in the system and have access to all of the information gathered on him or her.
According to police sources, the company sold the information directly to individuals and mainly to commercial companies. Unconfirmed reports say that the company had a list of 30,000 clients, while an inspection of its ledgers revealed that its annual turnover was as high as 4 million euros. Clients varied greatly and apparently included pawnshops and debt collection agencies, while sources say that each item of information was being sold for between 200 and 1,000 euros, while clients could also pay a monthly fee of 500 euros to have regular access to personal data.
The records found on the company’s servers were leaked in the “traditional” way, according to electronics crimes officers, meaning in collusion with employees at the various ministries involved rather than from hacked databases. The way that the data was stored and filed was also similar to an online marketing company that was closed down in November when an associate was found to have over 9 million confidential records in his possession. The technical similarities between the two businesses have led authorities to suspect that they are linked.
However, Kathimerini understands that the judicial system has not made progress on the November case nor been able to locate any public sector employees who may be responsible for trading in personal information.
Gangs peddling records from ministries
High-ranking Finance Ministry sources say that they are aware there is a gang peddling the personal details of taxpayers to companies and individuals that sell private records, adding that it has operated in the past within the General Secretariat for Information Systems. They also say that there are similar gangs at work in the ministries of Interior and Transport.
The sources also say that this has been going on for years, as evidenced by cases where personal data found to have been illegally obtained dates back several years. As far as the General Secretariat for Information Systems is concerned, the issue was apparently dealt with in 2009, when it made sure that no employee could access files without entering a username and password into their computers before having access to the system. The secretariat also deactivated all entry codes used prior to 2009 and issued all employees with new ones so that it can track their activity.
However, experts have expressed concern that some of the information leaked in the past may have come from the real estate register, which comprises highly sensitive information often bought by lawyers who want to have a clear picture of the assets that exist on each side of a lawsuit without having to comb through registry offices all over the country.
Despite significant steps taken over the past couple of years to curb leaks of tax information, two such cases were uncovered by police officers in the last three months.
Sources say that more steps will be taken to safeguard the confidentiality of taxpayers’ information, among which will be stiffer penalties for people found to be peddling in public records or using this information illegally. The Finance Ministry is apparently in the process of researching different security software that will protect its records.
Leaks from the Finance Ministry
Three separate cases of confidential data being leaked from the Ministry of Finance have recently come to light.
The first was on July 27, when an employee of the State’s General Accounting Office was arrested on charges of leaking a document with information that Alternate Finance Minister Christos Staikouras was to use during his negotiations with the country’s creditors. The non-paper had been penned by a ministry official and sent by e-mail to Staikouras, to the suspect and two more ministry employees. The document that was leaked on the Internet was a printout of the one sent by Staikouras and because the suspect printed it from his e-mail account it contained his username. He later claimed that the printed document had been purloined from his desk by another employee and leaked. Judicial authorities have completed investigation into the main suspect and are now deciding whether to summon the employee he alleged to have leaked the document to respond to charges.
The second case was on October 28, when documents from the General State Accounting Office appeared on the Internet and were, according to one version of the story, posted there by the Anonymous hackers group, who had claimed responsibility for the leak on Facebook and Twitter. The documents dated to the June-October 2012 period and came from the General Accounting Office, as well as from other services such as the Public Debt Management Agency. Officers of the electronic crimes squad, however, suspect an employee as being behind the leak.
The last case came to light on November 20, following the arrest of a 35-year-old associate of an online marketing company who was found to be in possession of a record containing 9 million entries pertaining to Greek citizens. According to the police, the information came from the Finance Ministry’s Taxis and Elenxis databases. The 35-year-old was remanded in custody pending sentencing. He also named as his accomplice a 45-year-old associate who owned a company that sold personal data and who was subsequently arrested as well.