Authorities fine Air Astana and Kazakhtelecom for personal data leakage

The Digital Ministry has checked mobile operators and the national pension fund for potential loopholes in their information security systems / Collage by Kursiv.media

Kazakhstani authorities will fine Kazakhtelecom and Air Astana for not doing enough to keep the personal data of Kazakhstanis safe. The two companies will be obliged to pay $825 in fines and correct the violations within the year.

The context. In February, unidentified hackers published data from iSoon (or Anxun), a Chinese contractor for the Ministry of Public Security of China. According to that information, a group of Chinese hackers for two years had maintained access to critical infrastructure of Kazakhstani mobile operators and likely to personal data of Kazakhstanis.

Over the period from 2019 to 2020, beeline.kz lost 637 gigabytes of confidential information, kcell.kz lost 820 gigabytes, tele2.kz — 1.09 terabyte and telecom.kz — 257 gigabytes (in 2021). The Unified Accumulative Pension Fund (UAPF) was also mentioned in the information about the leakage. In 2019, the fund lost 1.92 gigabytes of confidential information. Hackers also published screenshots with data from the Ministry of Defense of Kazakhstan and Air Astana.

According to the Computer Emergency Response Team (CERT), hackers also attacked law enforcement officials in Kazakhstan. This result came from a thorough examination of mobile numbers in various leakages and GetContact

The incident forced the Ministry of Digital Development and the National Security Committee to look through the information security of the entire critical infrastructure of Kazakhstan.

The ministry inspected the UAPF, mobile operators and other companies mentioned in the leakage and found no violations except for some loopholes in the IT systems of Kazakhtelecom and Air Astana.

In December last year, President Kassym-Jomart Tokayev authorized the activities of white hat hackers who might now participate in analyzing public IT systems to ensure they have no vulnerabilities. In January 2024, the Ministry of Digital Development, Innovations and Aerospace Industry officially adopted rules designed to regulate the practical activity of white hat or ethical hackers.

According to the rules, white-hat hackers must register in a special system before searching for any vulnerability that can damage the sustainability of public IT systems. Each ethical hacker should use a special token issued by authorities. Any attack on eGov without a token would be considered unauthorized.