On July 23, 2021, Estonian law enforcement authorities arrested a man under suspicion that he has exploited a government photo transfer service vulnerability to download ID scans of 286,438 Estonians from the Identity Documents Database (KMAIS). The suspect acquired victim names and ID numbers from various public databases and used them to download the government photos. Authorities stated the stolen photos could not be used for fraud to gain access to e-services or perform financial transactions and victims have no need to apply for new passports, ID card, etc. The Estonian government will notify all victims via email.
Estonian authorities believe the stolen data was not transmitted from the suspect’s computer and therefore does not pose a threat of identity theft to victims. If information such as photos and identification numbers are stolen from an individual, it is possible for threat actors to create fake documents, credentials, and social media accounts. If an individual suspects their data was stolen or used maliciously they should report it to the proper authorities.