Full Report
An anonymous hacker has allegedly leaked the entirety of Argentina’s National Registry of Persons, offering select information for sale on a dark web forum.
Analysis Summary
# Incident Report: Argentina National ID Database Exposure
## Executive Summary
The entirety of Argentina’s National Registry of Persons (RENAPER) database, containing sensitive Personally Identifiable Information (PII) for an estimated 45 million citizens, was compromised and offered for sale on a dark web forum around November 2021. The Ministry of Interior suspects the breach was facilitated by an insider, evidenced by the use of an agency VPN account to query the database shortly before data publication. The primary impact is the severe risk of identity theft and various cyberattacks against the Argentinian populace.
## Incident Details
- Discovery Date: Around November 2, 2021 (when data was posted publicly on a dark web forum and publicized via a now-deleted Twitter account).
- Incident Date: Pre-November 2, 2021 (specific start date unknown).
- Affected Organization: Registro Nacional de las Personas (RENAPER), under the Ministry of Interior of Argentina.
- Sector: Government/Public Sector (Citizen Registry).
- Geography: Argentina.
## Timeline of Events
### Initial Access
- Date/Time: Unknown, leading up to November 2, 2021.
- Vector: Suspected insider threat/employee compromise.
- Details: The responsible government body (Ministry of Interior) suspects the breach did not result from exploiting a public-facing vulnerability, but rather through the actions of an employee.
### Lateral Movement
- Details: An agency VPN account was used to query the RENAPER database immediately preceding the data publication, suggesting the attacker used legitimate credentials to access and gather the data. No specific details on internal network movement are provided, only database access.
### Data Exfiltration/Impact
- Details: The entire RENAPER database, including PII for over 45 million citizens, was exfiltrated and offered for sale online. Sensitive information included full names, photo identification, residential addresses, National ID numbers, and internal barcodes.
### Detection & Response
- Detection: The incident became public knowledge after a now-deleted Twitter account (@aniballeaks) posted PII belonging to 44 Argentine celebrities, demonstrating the hacker's access.
- Response actions taken: The Ministry of Interior launched an investigation, focusing on the insider threat hypothesis based on VPN logs.
## Attack Methodology
- Initial Access: Suspected insider action (unauthorized access or misuse of credentials by an employee).
- Persistence: Not explicitly detailed, though the successful query via a VPN suggests maintained access or session prior to data extraction.
- Privilege Escalation: Not detailed; assumed the attacker/insider already possessed requisite network or database access permissions.
- Defense Evasion: Not detailed; focused on internal network access rather than external bypass.
- Credential Access: Suspected compromise or misuse of an employee's VPN credentials.
- Discovery: Use of an agency VPN account confirmed queries against the RENAPER database were occurring.
- Lateral Movement: Limited to gaining access to and querying the central RENAPER database via the VPN.
- Collection: Full contents of the Citizen ID database were gathered.
- Exfiltration: Data was packaged and offered for sale on a dark web forum.
- Impact: Massive exposure of PII for over 45 million citizens.
## Impact Assessment
- Financial: Not publicly disclosed.
- Data Breach: Full contents of the National Registry of Persons (RENAPER) exposed, affecting approximately 45 million citizens. Data included names, photos, addresses, and ID numbers.
- Operational: Unspecified downtime or service interruption for RENAPER systems, though the primary operational impact is the long-term security risk to citizens.
- Reputational: Significant damage to public trust in the Argentinian government’s data security capabilities.
## Indicators of Compromise
- Network indicators: Use of an agency VPN account for authorized access traced to database queries (IPs defanged).
- File indicators: Data offered for sale on a dark web forum.
- Behavioral indicators: Unauthorized or unusual database queries executed via a compromised or misused agency VPN account.
## Response Actions
- Containment measures: Investigation initiated focusing on internal accounts and logs (VPN usage).
- Eradication steps: Not detailed; presumed steps involve severing compromised accounts and auditing access controls.
- Recovery actions: Not detailed, likely undergoing internal and security reviews.
## Lessons Learned
- The centralized storage of highly sensitive national PII (including biometric data like photos) creates an extremely high-value target.
- Insider threats remain a significant vector, even when public-facing defenses appear adequate.
- The rapid transition from a potential breach to public dissemination (via social media leaks) highlights security disclosure challenges.
- What could have been done better: Implementation of stricter access controls, segregation of duties, and multi-factor authentication, especially for remote access via VPN to critical databases, regardless of user role.
## Recommendations
- Immediately enforce Multi-Factor Authentication (MFA) on all VPN access points, especially those leading to sensitive data repositories.
- Audit and significantly restrict database access permissions, ensuring the Principle of Least Privilege is strictly applied to all internal users accessing the RENAPER system.
- Implement enhanced User and Entity Behavior Analytics (UEBA) to monitor for anomalous query volumes or access times originating from trusted credentials (like VPN accounts).
- Conduct thorough background checks and continuous security monitoring for personnel with access to core national registry infrastructure.