Hackers are reportedly selling the personal data of over a million Russians who voted electronically, using blockchain technology, during the recent constitutional amendment process.
Over 1.1 million data points were stolen and put on sale for $1.50 each on the online forums, the Russian newspaper Kommersant wrote. The data, consisting exclusively of passport numbers, has little value on its own, the anonymous sellers admitted to Kommersant. But such data can be used for phishing attacks when combined with information from other leaked databases.
Moscow’s Department of Information Technologies, which is responsible for the design of the voting system, denied the report in an email to CoinDesk.
“The department is regularly monitoring the internet for publications of such data, including the darknet. The database mentioned in the publication has nothing to do with the list of voters who registered to vote online,” the department’s press office wrote, adding that the information on the Moscow city hall’s servers was properly protected and “there had been no leaks since the beginning of 2020.”
See also: Putin Signs Russian Crypto Bill Into Law
The online voting was a part of nationwide voting dedicated to the amendments to the Russian constitution, which, among other things, eliminated the two-term restriction for presidents, effectively allowing Vladimir Putin to stay in power longer.
The online voting system, based on Bitfury’s open-source Exonum blockchain and built with the help of Kaspersky Lab, was previously reported to have poor data protection. Journalists were able to decrypt people’s votes as well as pull passport numbers out of a weakly protected file posted online by the authorities, a Russian media outlet Meduza wrote.
The voting took part during the last week of June and ended July 1, both online and at the physical polling stations. Municipal authorities’ employees were forced to vote electronically, BBC reported.
In a blog post earlier Tuesday, department representative Artyom Kostyrko said the department compared the screenshot the seller provided with the voter database, and the information didn’t check out. However, according to the founder of the cybersecurity firm DeviceLock, Ashot Oganesyan, the database was genuine and has been on sale for a while now.
Kaspersky declined to comment on the security issue when asked by CoinDesk.
In Russia, every citizen older than 14 has a passport, which serves as a universal ID for any kind of interaction with the government. Each passport has a unique number, and those numbers have reportedly been retrieved from the online voting system and put on sale.
Russia is planning to expand the practice of online voting, despite the issues mentioned above. The previous blockchain voting experiment by Moscow, which took place in the fall 2019, used the Ethereum blockchain and also turned out to have weak security.