Argentine Public authority suffers a security incident
Recently the National Registry of Persons (knowns as “Renaper” which stands for Registro Nacional de las Personas) suffered a security incident that could have compromised personal data of Argentine citizens according. The Renaper is a public agency within the structure of the Ministry of Inner Affairs in charge of keeping records of citizens and issuing national ID cards. Although the investigation is on an initial stage, we report the most important points that have been disclosed up to date on this case.
About the incident.
According to the news, a Twitter user under the name “@AnibalLeaks” disclosed personal information and photographs of the ID cards of 44 well-known persons in Argentina and claims to hold information of the entire population. According to investigations, this person is promoting the commercialization of the information in non-official markets.
Additionally, the Ministry of Health informed that it has identified a potential incident affecting its records that could be related to this case.
The compromised information would involve individuals’ records, such as photos, names, surnames, addresses, ID numbers and ID processing number, among others.
The leaked data seems to belong to public officials, political leaders, athletes, celebrities. However, there is a potential risk that the incident may have affected any citizen considering that the person involved in this case claims to have obtained information about 45 million of Argentine citizens. Argentina currently has an estimated population of 45 million.
Individual involved in the hacker.
The person responsible for this incident has not yet been properly identified. Officials from the Ministry of the Inner Affairs stated that this is not a hack but rather it appears to be an authorized user who would have computer knowledge as well as credentials that allow the access to public authorities’ records.
The Renaper has filed a criminal complaint with the Federal Coourt in Criminal and Correctional matters.
Moreover, the Ministry of Health has not only filed a complaint with the courts but also modified the entire system of internal codes and passwords and limit the use of personal data from the Renaper.
Obligation to report an incident.
Argentine Personal Data Protection Law (“PDPL”) does not provide for the obligation to report a security incident to the controlling authority or the affected data subjects. However, Resolution 40/2018 of the Argentine Agency for the Access to Public Information (“Agency”), controlling authority of the PDPL, rules that in case of detecting a security incident that involves a significant risk for the rights and interests of the data subject, the relevant public body has to report such event without delay to the Agency.
For further information please contact: email@example.com.