How to Compromise (and Use) the Private Data of All Your Citizens
On August 5, 2023, IT expert Gent Progni published a statement on Facebook, denouncing the recently appointed Director of the Department of Information Technology at the State Police, Ervin Muça. Progni accused Muça of accessing the Total Information Management System (TIMS) database during the night of August 2, without authorization, copying its contents onto a personal USB stick. Muça used the access codes from another employee that was not present and was assisted by IT specialists from a private business without the proper security clearances.
Previously, in December 2021, Muça had resigned as Director of the Tax Office IT System, after the salary details of 630,000 Albanians had been leaked under his watch. It was an interesting coincidence that he was now involved in yet another, and even more sensitive, data leak.
The TIMS database system, established in 2007 with the help of the US government, is “a sustainable, modern and integrated, information management system to enhance capabilities in criminal investigation, case management, criminal intelligence analysis, border control and overall police administration.” It provides an integrated system for criminal records, passport checks, border control, and vehicle registration. In other words, it contains extremely sensitive private data of every single Albanian citizen. And this entire database was now in the hands of a private individual.
On August 17, the then US Chargé d’Affaires, Martin McDowell, met with then Minister of Interior Affairs Taulant Balla to express his concern about the theft of the database, urging a proper investigation and offering US assistance. On August 25, Muça released the following statement, claiming that he had tried to make a “backup” of the TIMS system:
I am accused, I, senior director of the State Police, that I would have taken data from TIMS onto a USB!!! LIE! LIE! LIE! The data of TIMS have neither been transferred nor exported. […]
One of the main procedures in daily systems management is the backup. Essential for the stability of systems and restoring their function in case of attacks or accidents (I recall here the Iranian cyberattack, when our systems came back online after the unconditional assistance of the Microsoft’s DART [Cybersecurity Team] and our strategic partner, the US). […]
I noticed that the backup, a procedure so necessary and important, hadn’t been done as it should have. I requested it to be redone. And… attention: As answer I received sabotage.
Muça’s defense was immediately echoed by Prime Minister Edi Rama:
This is all a story brought out and manipulated by people who have practically lost power over those data at the State Police. The interior investigation has been conducted fully and there is no concern whatsoever. […] I don’t understand why a chargé d’affaires from the US needs to make such a declaration. […] That serious incident hasn’t happened because it hasn’t had the possibility to happen. In the attempt to make a backup, it turned out that there’s no backup at all.
And a few days later, Minister Balla repeated:
The truth is that since June a new team within the General Directorate of the Police has been working on a thorough change in terms of technical and security management, that those who have been laid off may be critical of or complain about, raising doubts about the work done by those have taken up this task. I guarantee each citizen of the Republic of Albania that no data from TIMS have leaked that there hasn’t been any problem.
While the Prosecution of Tirana started its investigation in September, Muça remained in office as the head of IT of the State Police. On April 2, 2024, after months of pressure by the opposition, a parliamentary commission was installed to investigate the TIMS data leak. A week later, the Court of Tirana suddenly ordered the suspension Muça from office. He was arrested and placed under house arrest, under suspicion of “unauthorized computer access.”
This wasn’t the first time the TIMS system had been compromised. As already mentioned by Muça in his defense of his actions, TIMS had previously come under attack from suspected Iranian hackers, most likely because of the shelter provided by the Albanian government to the former Iranian terrorist group Mojahedin-e-Khalq.
In February 2022, the entire TIMS system was taken offline, making passport checks at airports and border crossings practically impossible. I remember flying into Rinas and the customs official taking a photo of my passport with their personal cell phone, as the computer system was offline. This was the beginning of a series of cyberattacks that continued over several months. In July, another cyberattack disrupted several Albanian government systems, and their recovery required the extended assistance of the US government. As in other cases, Prime Minister Rama denied that any personal data had been compromised:
We assure all citizens that the data of the information systems of government services are secure and untouched.
In September, in the aftermath of another cyberattack on TIMS, the Albanian government cut diplomatic ties with Iran and expelled the remaining diplomatic personnel from the country. In tandem, the US government released a statement openly accusing the Iranian government of involvement in the series of cyberattacks. In October of the same year, the TIMS system was again offline.
What happened with all the data accessed and captured during this series of cyberattacks? Just like the tax database circulated freely on Whatsapp, the government and private data captured by the supposed Iranian hackers are relatively easily accessible via a channel on the secure messaging app Telegram. Over several months, the hackers managing the Telegram channel “Homeland Justice” posted the contents of the email servers of the National Authority for the Security of Classified Information (AKSIK), the Ministry of Foreign Affairs, Tirana Municipality, the Electronic and Postal Communications Authority (AKEP), the Ministry of Finance, Albanian embassies in Athens, Moscow, and Skopje, the President’s Office, and Parliament, in addition to email communications of officials such as former Minister of Interior Bledi Çuçi, police chief Gledis Nano, former director of the Albanian Intelligence Service (ShISh) Helidon Bendo, former Deputy Prime Minister Niko Peleshi, and Prime Minister Edi Rama. The hackers also posted database dumps containing passport numbers, names, dates of birth, and phone numbers of Albanian citizens, vehicle registration records, client lists of Credins Bank, lists of criminal suspects, and voter lists. In other words, this was a series of massive data breaches which fully compromised databases of both the Albanian government and large private companies.
When Albanian media started to publish material from the leaked government emails, including the details of alleged plots to assassinate Albanian and Kosovar political figures, the Prosecution of Tirana issued a blanket ban on any reporting on the government hacks, which was heavily criticized by press freedoms organizations.
Naturally, none of those citizens whose data were compromised in these series of cyberattacks were officially notified about this data breach. The repercussions in the government were far and few between. In December 2022, several IT specialists were placed under investigation for the abuse of duty for failing to update antivirus systems. In the same month, ShISh Director Helidon Bendo resigned, reportedly in part because of the Iranian cyberattacks. Olian Kanushi, former director of the Situation Room at the Prime Ministry, took over.
The potential damage that can be wrought with the personal and government data gathered and exposed through the Iranian cyberattacks is massive. But apart from embarrassing the Albanian government, the hackers of Homeland Justice have not been able to put these data to any practical use, yet.
But what could one potentially do with a dataset such as the TIMS database “backuped” by Socialist Party-appointee Ervin Muça on his USB stick? In order to understand the practical value of these data, and why these types of leaks keep occurring in Albania with or without the Iranians, we need to turn our attention to yet another leak.
In April 2021, online portal Lapsi first reported about the online circulation of a large database containing the personal details of over 900,000 Albanian citizens belonging to the Socialist Party (PS). The database not only containded extensive personal data about these citizens, but each of them was also allocated a so-called patronazhist, a PS party member, often a public servant, in charge of securing their vote. To this end, the database also contained information on possible “levers,” such as old age, poverty, sexual preference, or recent emigration – some of which is data uniquely recorded in TIMS.
TIMS records, criminal records, tax records, family records, and so on are all invaluable in the eternal quest to secure the elections. They provide the material to blackmail political opponents, to coerce citizens to cast their vote a certain way, to manipulate a population by wielding their private data against them. This also explains why, in spite of multiple hacks and leaks exposing sensitive personal records, the very same ID numbers, bank account numbers, number plates, and passports that have been leaked remain in use as if nothing happened.
The only proper response of any government to such a massive breach of security would have been to issue new identity papers to each and every Albanian citizen, to ensure they are protected against the real threat of identity theft. However, this would defeat the purpose of these leaks in the first place. The exposure of Albanian citizens, to make them less secure, is the entire point.
Muça’s involvement in the tax office and police database leaks under the governance of the Socialist Party is by no means unique to that party. Also under the previous government of the Democratic Party we can point to data leaks, such as that of the Civil Registry in the late 2000s, that no doubt served a political or electoral purpose. What is different this time is the massive scale: not only has the Socialist Party set up a fine-grained network of political informants in charge of securing the vote of specific households, they now also have access to an entire spectrum of information that will greatly facilitate their work.
The Albanian Mechanism is part of Manifesto GREAT WAVE.