Official Publication: ENTRYRISE S.R.L
Scope: Public notification on data breach and incorrect handling of breach
Date of the breach: September 7, 2023
BREACH Details:
- Over 50.000 private individuals personal details, including names, personal identification numbers (CNP), sex, birth date, birth place, address, PO box address, phone number, mobile phone number, email address, phone address, website, authorization number, "APEA", citizenship, professional details, and more.
RISKS:
- Identity Theft
- Misuse of credentials
- Fraud and money laundering through identity theft (Such as taking online loans)
On September 7, 2023 CECCAR, the Romanian accounting association, has suffered a major breach involving all expert accountants and authorized accountants.
With the following information made public:
Full Name: Identifying the individual members.
Personal Numeric Code (CNP): A unique identifier containing sensitive data such as birth date and gender.
Address: Either office or home addresses.
Date and Place of Birth: Including specific locality, adding to personal identification.
Mobile Phone Numbers: Some instances include landline numbers.
Mailing Address: Different from the residential or office address.
Data related to Registration in CECCAR: Intended for public viewing, but sensitive in nature.
Personal Identification Number (CIP): Another unique identifier.
Citizenship: This could be sensitive as it might indicate ethnicity.
More
Vulnerability Difficulty very low
The vulnerability was one that allowed the access of privately identifying data directly through the browser,
Notification attempt and official response
The DPO, as well as the official contact address of CECCAR, was immediately notified with details including the extent of the breach, steps to reproduce the issue, and potential solutions.
Common behavior shared by the Bar Association (UNBR):
We have BCC-ed the national data protection agency to ensure that the breach is properly notified since previous reports related to a similar vulnerability leading to the leaking of all PINs (CNPs) of Lawyers registered at a bar went similarly unreported.
The full extent of the report can be viewed here (Email Download - PDF):
The vulnerability has been marked as resolved on our validation on the 10th of September, with the technical team removing the personally identifying information from the endpoint.
We believe this has fully resolved the breach.
Breach Period
While we were unable to validate the scope of the vulnerability, we believe the breach persisted for a period of time at least 6 months, having identified the vulnerable program to have been accessible since 2021.
Risk assessment and CVSS details
The vulnerability was assessed based on criticality, impact, and exploitability using the CVSS scoring metric, with an estimated CVSS Score of:
CVSS Base Score: 7.5/10
Impact Subscore: 3.6/1o
Exploitability Subscore: 3.9/10
CVSS Temporal Score: 7.2/10
CVSS Environmental Score: 7.2/10
Modified Impact Subscore: 3.6/10
Overall CVSS Score: 7.2/10
Reply from ANSPDCP
The national data protection agency has not been notified of the breach by the DPO of CECCAR, in accordance with the requirements of the law.
On January 3, 2024, ANSPDCP notified us that they were unable to find the vulnerability and requested proof. Proof was provided, including the entire data that was leaked by CECCAR.
We believe that everyone should be aware the extent of the way their data is processed. While we are pro-processing, and are ourselves a platform that does use analytics to help shape our products, we believe this should be done responsibly and with proper disclosure.
The behavior of CECCAR, which decided to hide the vulnerability instead of notifying them, is proof of malicious activity on their behalf, and the attempt to hide away not being able to protect this information.
Given that a similar breach was swept under the rug by the bar association in Romania regarding a previous notification, we have taken it upon ourselves to notify the individuals directly to prevent any further concealment of this data breach.
Check if you were breached in the CECCAR data breach:
We have emailed all of the affected individuals with a comprehensive report detailing the breached data.
However, due to the lack of trust and awareness (we are a private entity) into the breach, we decided making a tool to help individuals realize they have been breached safely.
CECCAR - Data Breach
A data breach was identified on September 7, 2023, which CECCAR failed to report, exposing the personal information of over 50,000 individuals.
β Stefan-Lucian Deleanu
CECCAR - Data Breach
Update #1: 06.01.2024 00:48
Release Details
On September 7, 2023 CECCAR, the Romanian accounting association, has suffered a major breach involving all expert accountants and authorized accountants.
With the following information made public:
Vulnerability Difficulty very low
The vulnerability was one that allowed the access of privately identifying data directly through the browser,
Notification attempt and official response
The DPO, as well as the official contact address of CECCAR, was immediately notified with details including the extent of the breach, steps to reproduce the issue, and potential solutions.
Common behavior shared by the Bar Association (UNBR):
We have BCC-ed the national data protection agency to ensure that the breach is properly notified since previous reports related to a similar vulnerability leading to the leaking of all PINs (CNPs) of Lawyers registered at a bar went similarly unreported.
The full extent of the report can be viewed here (Email Download - PDF):
Reply from CECCAR DPO
The DPO of CECCAR, from http://daikokuten.ro/, notified us that all of the required measures will be taken to properly disclose the vulnerability post-resolution and inform the national data agency.
Steps taken
The vulnerability has been marked as resolved on our validation on the 10th of September, with the technical team removing the personally identifying information from the endpoint.
We believe this has fully resolved the breach.
Breach Period
While we were unable to validate the scope of the vulnerability, we believe the breach persisted for a period of time at least 6 months, having identified the vulnerable program to have been accessible since 2021.
Risk assessment and CVSS details
The vulnerability was assessed based on criticality, impact, and exploitability using the CVSS scoring metric, with an estimated CVSS Score of:
Reply from ANSPDCP
The national data protection agency has not been notified of the breach by the DPO of CECCAR, in accordance with the requirements of the law.
On January 3, 2024, ANSPDCP notified us that they were unable to find the vulnerability and requested proof. Proof was provided, including the entire data that was leaked by CECCAR.
INCORPO.RO - OFFICIAL RELEASE
We believe that everyone should be aware the extent of the way their data is processed. While we are pro-processing, and are ourselves a platform that does use analytics to help shape our products, we believe this should be done responsibly and with proper disclosure.
The behavior of CECCAR, which decided to hide the vulnerability instead of notifying them, is proof of malicious activity on their behalf, and the attempt to hide away not being able to protect this information.
Given that a similar breach was swept under the rug by the bar association in Romania regarding a previous notification, we have taken it upon ourselves to notify the individuals directly to prevent any further concealment of this data breach.
Check if you were breached in the CECCAR data breach:
We have emailed all of the affected individuals with a comprehensive report detailing the breached data.
However, due to the lack of trust and awareness (we are a private entity) into the breach, we decided making a tool to help individuals realize they have been breached safely.
On this page