Twenty million Russians have their tax records exposed online

Names, addresses, passport numbers, Tax IDs - the whole lot - exposed on unsecured, unencrypted Elasticsearch cluster

A database containing the tax records of more than 20 million Russians has been found online on an unsecured server - apparently run from Ukraine.

The Elasticsearch cluster was hosted on the AWS cloud, publicly available, and could be accessed without so much as a password, let alone any other authentication.

The security blunder was uncovered by Comparitech and noted researcher Bob Diachenko, who has regularly uncovered unsecured systems running online, such as the 4GB leak of half-a-million Delhi citizens' information in February 2019, which was followed up by the exposure of 275 million Indian citizens just months later.

Most of the databases on the Elasticsearch cluster contained random or publicly sourced data, but two of them were packed full of legitimate personal and tax records: one 14 million-strong database with data from 2010 to 2016 and a smaller file with ‘just' six million records from 2009 to 2015.

The records contained names, addresses, residency statuses, passport numbers, phone numbers, Tax ID numbers, employer names and tax amounts. None of the data was encrypted, either.

It's unclear whether Diachenko was able to locate the owners of the database cluster in order to notify them. However, it was taken offline within days of the discovery and steps taken by Diachenko to alert the owner.

Nevertheless, the fact that it was first indexed by search engines last May indicates that it was open and available for at least 16 months. It's not known whether less benign actors than Diachenko discovered the Elasticsearch cluster first.

The leak of highly personal citizen data is far from the first with not one, but two big leaks of Ecuadorian citizens' data in September.