Skip to main content

CECCAR - Data Breach

Data breach identified on September 7, 2023, and not reported by CECCAR, with over 50.000 individuals having their information accessible publically.

β€” Stefan-Lucian Deleanu

Official Publication: ENTRYRISE S.R.L
Scope: Public notification on data breach and incorrect handling of breach
Date of the breach: September 7, 2023

BREACH Details:
- Over 50.000 private individuals personal details, including names, personal identification numbers (CNP), sex, birth date, birth place, address, PO box address, phone number, mobile phone number, email address, phone address, website, authorization number, "APEA", citizenship, professional details, and more.

RISKS:
- Identity Theft
- Misuse of credentials
- Fraud and money laundering through identity theft (Such as taking online loans)
https://www.linkedin.com/in/stefan-deleanu-94036417b/
https://www.facebook.com/stefatorus
MAIL: [email protected]

Update #1: 06.01.2024 00:48

Release Details

On September 7, 2023, CECCAR, the Romanian accounting association, has suffered a major breach involving all expert accountants and authorized accountants.

With the following information made public:

  1. Full Name: Identifying the individual members.
  2. Personal Numeric Code (CNP): Unique identifier containing sensitive data like birth date and gender.
  3. Address: Either office or home addresses.
  4. Date and Place of Birth: Including specific locality, adding to personal identification.
  5. Mobile Phone Numbers: Some instances include landline numbers.
  6. Mailing Address: Different from the residential or office address.
  7. Data related to Registration in CECCAR: Intended for public display, but still sensitive in this context.
  8. Personal Identification Number (CIP): Another unique identifier.
  9. Citizenship: This could be sensitive as it might indicate ethnicity.
  10. More

Vulnerability Difficulty very low

The vulnerability was one that allowed the access of privately identifying data directly through the browser,

Notification attempt and official response

The DPO, as well as the official contact address of CECCAR, was immediately notified with details including the extent of the breach, steps to reproduce the issue, and potential solutions.

Common behavior shared by the Bar Association (UNBR):

We have BCC-ed the national data protection agency to ensure that the breach is properly notified since previous reports related to a similar vulnerability leading to the leaking of all PINs (CNPs) of Lawyers registered at a bar went similarly unreported.

The full extent of the report can be viewed here (Email Download - PDF):

Reply from CECCAR DPO

The DPO of CECCAR, from http://daikokuten.ro/, notified us that all of the required measures will be taken to properly disclose the vulnerability post-resolution and inform the national data agency.

Steps taken

The vulnerability has been marked as resolved on our validation on the 10th of September, with the technical team removing the personally identifying information from the endpoint.

We believe this has fully resolved the breach.

Breach Period

While we were unable to validate the extent of the vulnerability, we believe the breach existed for at least 6 months, having identified the vulnerable program to have been accessible since 2021.

Risk assessment and CVSS details

The vulnerability was assessed based on criticality, impact, and exploitability using the CVSS scoring metric, with an estimated CVSS Score of:

  • CVSS Base Score: 7.5/10
  • Impact Subscore: 3.6/1o
  • Exploitability Subscore: 3.9/10
  • CVSS Temporal Score: 7.2/10
  • CVSS Environmental Score: 7.2/10
  • Modified Impact Subscore: 3.6/10
  • Overall CVSS Score: 7.2/10

Reply from ANSPDCP

The national data protection agency has not been notified of the breach by the DPO of CECCAR, in accordance with the requirements of the law.

On January 3, 2024, ANSPDCP notified us that they were unable to find the vulnerability and requested proof. Proof was provided, including the entire data that was leaked by CECCAR.

INCORPO.RO - OFFICIAL RELEASE

We believe that everyone should be aware the extent of the way their data is processed. While we are pro-processing, and are ourselves a platform that does use analytics to help shape our products, we believe this should be done responsibly and with proper disclosure.

The behavior of CECCAR, which decided to hide the vulnerability instead of notifying them, is proof of malicious activity on their behalf, and the attempt to hide away not being able to protect this information.

With a similar breach being hidden under the rug by the bar association in Romania, in relation to a previous notification, we've decided to notify the individuals ourselves to prevent hiding the data breach.

Check if you were breached in the CECCAR data breach:

We have emailed all of the breached individuals with a full extent report of the breached data.

However, due to the lack of trust and awareness (we are a private entity) into the breach, we decided making a tool to help individuals realize they have been breached safely.