Incident background
Information exposed
Affected individuals
Individual involved
Measures taken
Obligation to report an incident
Recently, the National Registry of Persons (Renaper) suffered a security incident that could have compromised the personal data of Argentine citizens. Renaper is a public agency within the structure of the Ministry of Inner Affairs in charge of keeping records of citizens and issuing national ID cards. Although the investigation is at an early stage, this article reports the most important points that have been disclosed on this case to date.
According to the news, a Twitter user under the name "@AnibalLeaks" disclosed the personal information and photographs of the ID cards of 44 well-known persons in Argentina and claimed to hold information on the entire population. According to investigations, this person is promoting the commercialisation of the information in unofficial markets.
Additionally, the Ministry of Health stated that it has identified a potential incident affecting its records that could be related to this case.
The compromised information involves individuals' records, such as photos, names, surnames, addresses, ID numbers and ID processing numbers, among others.
The leaked data seems to belong to public officials, political leaders, athletes and celebrities. However, there is a risk that the incident may affect all citizens, considering that the person involved in the case claims to have obtained information of about 45 million Argentine citizens. Argentina currently has an estimated population of 45 million.
The person responsible for this incident has not yet been properly identified. Officials from the Ministry of the Inner Affairs have stated that this is not a hack but appears to be an authorised user who has computational knowledge as well as credentials that enable them to access public authorities' records.
Renaper has filed a criminal complaint with the Federal Court in Criminal and Correctional matters.
Moreover, the Ministry of Health has not only filed a complaint with the courts, but has also modified its entire system of internal codes and passwords. It has also limited its use of personal data from Renaper.
Obligation to report an incident
The Personal Data Protection Law (PDPL) does not provide for an obligation to report a security incident to the controlling authority or the affected data subjects. However, Resolution 40/2018 of the Argentine Agency for the Access to Public Information (Agency), the controlling authority of the PDPL, rules that where a security incident that involves a significant risk to the rights and interests of data subjects is detected, the relevant public body has to report such event without delay to the Agency.
For further information on this topic please contact Mariano Peruzzotti at Ojam Bullrich Flanzbaum by telephone +54 11 4549 4900 or email ([email protected]). The Ojam Bullrich Flanzbaum website can be accessed at www.ojambf.com.