Full Report
Breaches involving government entities may be politically motivated, such as the 2022 compromise of the Presidency of Moldova’s email server or the 2024 compromise of Moldova’s parliamentary email servers just days before the country’s presidential election. Other incidents may be due to human error or may be financially motivated. In Part 1, DataBreaches describes a... Source
Analysis Summary
# Incident Report: Exposure of Moldovan Government Job Applicant Data
## Executive Summary
The Moldovan government job portal, Cariere.gov[.]md, suffered a long-term data exposure due to a Broken Object Level Authorization (BOLA) vulnerability. An external researcher discovered that over 7,700 folders and 19,000 JSON files containing sensitive personal and professional information were accessible without authentication via simple URL manipulation. Despite repeated warnings to government agencies, the vulnerability remained unpatched for several days until media intervention.
## Incident Details
- **Discovery Date:** February 5, 2026
- **Incident Date:** Ongoing exposure for "years" prior to February 2026 remediation
- **Affected Organization:** Government of Moldova (Cancelaria / STISC)
- **Sector:** Government
- **Geography:** Moldova
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown start date; reported February 5, 2026.
- **Vector:** Insecure Direct Object Reference (IDOR) / URL Manipulation.
- **Details:** No password or authentication was required; a user could access different applicant folders by changing the numerical ID at the end of the portal's URL.
### Lateral Movement
- **Details:** N/A. The vulnerability allowed direct access to the entire repository of applicant data without needing to move through the network.
### Data Exfiltration/Impact
- **Details:** Researcher Ionatan Andronachi accessed/downloaded 7,758 folders and approximately 19,000 JSON files to verify the vulnerability.
### Detection & Response
- **February 5:** Researcher identifies the flaw and attempts to notify the government.
- **February 8:** DataBreaches.net contacts the government (Cancelaria) email address.
- **February 11:** STISC (Cybersecurity Agency) claims they are not responsible, pointing to Cancelaria.
- **February 13:** Cancelaria refuses to investigate due to a lack of an e-signature on the researcher's report.
- **February 14:** Following a second inquiry from DataBreaches.net, the vulnerability was remediated (URL manipulation no longer permitted).
## Attack Methodology
- **Initial Access:** Exploitation of broken access control (IDOR).
- **Persistence:** N/A (Web-based exposure).
- **Privilege Escalation:** Not required; public-facing URL provided administrative-level access to data.
- **Defense Evasion:** None; the data was stored in an unencrypted, unauthenticated web directory.
- **Credential Access:** None required.
- **Discovery:** URL parameter tampering.
- **Collection:** Automated or manual scraping of applicant folders.
- **Exfiltration:** Direct download via browser or Signal messaging.
- **Impact:** Mass exposure of PII and potential for identity theft/political targeting.
## Impact Assessment
- **Financial:** Potential costs related to identity monitoring for thousands of citizens (if provided).
- **Data Breach:** Exposure of 7,758 applicant folders containing names, addresses, government IDs, medical forms, criminal records, and CVs.
- **Operational:** Disruption of trust in government digital services.
- **Reputational:** High; government agencies engaged in "hot potato" blame-shifting rather than immediate remediation.
## Indicators of Compromise
- **Network indicators:** Unauthenticated GET requests to `cariere.gov[.]md` with sequential numerical ID changes.
- **File indicators:** Open access to JSON files and document subdirectories (PDFs/DOCs).
- **Behavioral indicators:** Abnormal traffic patterns from a single IP accessing a large volume of sequential applicant IDs.
## Response Actions
- **Containment measures:** Access via URL manipulation was disabled on February 14.
- **Eradication steps:** Updated the portal's authorization logic to require session-based authentication.
- **Recovery actions:** Monitoring of further leaks; however, no official notification to victims has been confirmed.
## Lessons Learned
- **Bureaucratic Barriers:** The requirement for "e-signatures" on vulnerability reports significantly delayed the closing of a critical security hole.
- **Inter-agency Communication:** The lack of a clear Incident Response (IR) owner between STISC and Cancelaria led to critical delays.
- **Security by Design:** Basic web security principles (authentication checks for sensitive objects) were ignored during portal development.
## Recommendations
- **Implement RBAC:** Enforce Role-Based Access Control and ensure every object request (ID) is validated against the requester's session.
- **Establish a VDP:** Create a clear Vulnerability Disclosure Program that allows researchers to report bugs without legal or bureaucratic hurdles.
- **Audit Logs:** Conduct a forensic review of web server logs to determine if malicious actors (not just researchers) accessed the data previously.
- **Data Encryption:** Encrypt sensitive attachments (government IDs, medical records) at rest.