Working as a part of Digital Security Alliance, we came across vulnerability affecting Gelvora SIA owned system infodebt.lv. This system potentially contains financial data about most of the citizens of Latvia. Based on the domain registration information provided in WHOIS records, system has been active since year 2013. The vulnerability allowed unauthorized access to the database, with which, all of the database records can be retrieved.
From the information available on Gelvora.lv about infodebt.lv: “The advantages of the database: it is one of the largest debt history databases in Latvia;”. Based on this it’s safe to assume that the database contains information for no less than 1 million of Latvia’s inhabitants.
Our first step was contacting Gelvora SIA via the only publicly available e-mail email@example.com, informing them about the security issue. (February 20, 2018)
We received a response from Vygandas Jonušas, CISO for Baltic Region (Marginalen Group) on February 22, 2018.
Through communication with Vygandas, and informing that the issue is related to Gelvora SIA (Latvia) based system, we received information from Irina Namavīra, Chairperson of the Board at Gelvora SIA on March 01, 2018.
On March 05, 2018, the information, based on the principles of Responsible Disclosure, was passed to CERT.LV with full details about vulnerability. March 07, 2018, CERT.LV informed us that Gelvora has mitigated the vulnerability.
April 10, 2018, CERT.LV has published information about the incident on their March release. The release does not mention “Gelvora” SIA as the breach object, neither Gelvora has made any public statement or informed their clients about such incident.
Lets take an different perspective on this story. US recently had Equifax data leakage of about 143 million consumers. (less than 40% of the US population) Such information went publicly very quickly and all of the consumers that were affected by this breach are informed and going into lawsuits. In our case, assuming this is well over 50% of Latvia`s inhabitants financial information potentially breached and neither Gelvora SIA is interested about informing their clientele about such incident, neither the security instance of Latvia – CERT.LV is interested in disclosing such information.