A security breach at a Romanian online tax platform with more than one million users has been fixed after it was discovered by a cyber security researcher, the government said.
Alexandru Panait, the security researcher, said he uncovered a serious security breach at Ghișeul.ro platform at the beginning of the month. It could have potentially compromised the personal data of millions of Romanians, he said.
The 25-year-old security researcher notified Romanian authorities and then worked with the Romanian cyber security team and the Romanian digitization authority to eliminate the security gap.
Ghiseul.ro has been active since 2011 and currently has slightly more than one million users. The convenience of being able to access data online as opposed to having to pick it up physically from the local tax office led to a rise in people using the system.
Mr Panait told daily Adevarul.ro how he discovered the vulnerability and how the data of millions of users could have been compromised.
“After using a normal flow of data from ghiseul.ro….. based on my computer security experience….. I discovered that the National Electronic Payment System had a serious security breach,” he said.
He said that hackers could potentially access millions of national identification numbers of businesses and institutions registered in the national system, as well as people’s addresses and data on their assets, he said.
He reached out to the legal partners of the Blockchain Romania Association and they told him to report the national security-related issue to the relevant authorities.
He sent a notification to Cert.ro, the Romanian national cyber security and incident response describing the vulnerability.
“I gave them all the data I had…. From which I could see that the vulnerability hadn’t been exploited by anyone,” he said.
He claimed that a staggering 10-15 million people’s personal details could have been leaked.
Cert.ro and the Romanian digitalisation office, ADR, said on April 9 that they had recently fixed a vulnerability that could have led to a massive security breach of users’ personal details.
“The joint effort by the two institutions was based on a complaint from cyber security researcher Alexandru..Panait,” the statement said.
“In this way, the security risk was eliminated. Malicious actors, who deliberately break the law and the rules of the platform could gave had unauthorized access to users’ data.”
The National Cyber Security Incident Response Center, the Romanian Digitization Agency and Alexandru.. Panait worked together to resolve the vulnerability.”
“Authorities encourage responsible reporting of cybersecurity vulnerabilities, either directly to the system managers involved or through the security vulnerability reporting service provided by Cert.ro,” the statement said.
„Critical sectors like health, public administration, transportation, energy and finance are increasingly relying on digital technologies to run their core business, which is inherently exposed to growing cyber threats, ” it added.