Category Archives: Information Classification

Sensitive personal data published in document registers of state agencies

During a Garage48 hackathon held in Tallinn over the weekend, one participating team announced that they could not publish the results of their work as it contained too much personal data they had accidentally come across in state document registers. There are hundreds of such registers across Estonia, as each ministry, agencies, local governments and schools all have their own digital document registers.

The paper noted that while the Estonian Data Protection Inspectorate does check the security of document registers, it does so by hand, and checks are often followed by monitoring procedures and, less frequently, even fines for register administrators.

A similar problem was discovered back in April by Estonian startup Texta that created its own document registers analysis tool. Co-founder of Texta Silver Traat said they discovered a lot of highly detailed personal information in the documents register of the education ministry.

„We held a workshop as part of a language technology conference where we did what the state lacks the capacity to do itself. We downloaded 150,000 documents from the ministry’s document register and discovered that they held, among other things, people’s personal identification numbers, bank account numbers, addresses. We even came across some passport numbers,“ Traat described. He added that most of the information was from employment contracts.

This is the unfortunate side-effect of open data. For that data to be useful it actually has to contain at least some bits of personal data.


Estonian Internal Security Service (KaPo) Yearbook 2016

KaPo annual review 2016 discusses cyber security on page 21:

In 2016, Estonia also saw some attempts to access the information of the state’s high-level decision-makers. The attacks were extremely skilfully executed from the technical point of view with the use of credible fake e-mails and previously unknown technical methods. In view of the functioning mechanisms of the abovementioned APTs, it is clear that attacks cannot be avoided entirely, but they need to be identified, and major damage needs to be mitigated.
As far as Estonia is concerned, we forecast that cyber threats will increase in 2017 due to the EU presidency and the arrival of NATO units.

The section “Protection of state secrets” covers the case of Alexander Goncharov and Ivo Jurak on which we reported before.


KaPo suspects defense forces’ officer of exposing state secret


Captain Ivo Jurak (38) has been in custody for a month already as the Estonian Internal Security Service (KaPo) suspects him of having exposed a state secret. Jurak served as junior staff officer at the Estonian Defence Forces’ Movement Coordination Centre, reported Estonian daily Eesti Ekspress. This center coordinates the Defence Forces’ strategic transport, including the movement of NATO forces and equipment arriving in Estonia.

The KaPo suspects Jurak of having taken documents containing a state secret along with him from work and keeping them at home. Accrording to Jurak’s lawyer Natalia Lausmaa, Jurak admits to his guilt. Jurak is suspected according to Paragraph 241 of the Penal Code, which means that the exposure of a state secret is unrelated to treason or spying. If found guilty, Jurak could face a fine or up to five years in prison.

Case similar to this one.

KAPO annual review 2016 mentions also an illegal surveillance charge, whatever it means:

Jurak took state secrets he possessed home from work. During the investigation, it was also established that Jurak unlawfully obtained and kept a weapon not related to the defence forces, and was involved with unauthorised surveillance after leaving employment.


Kapo ex-employee convicted for allowing access to state secrets


A former employee of the Internal Security Service (ISS) was given a prison sentence for enabling illegal access to state secrets, spokespeople for ISS said. The man had taken home confidential documents.

The verdict against Aleksandr Gontšarov, 54, entered into force on Wednesday. Gontšarov, who had retired five years ago, was detained on Jan. 6 and taken into custody two days later. He admitted his guilt during the pre-trial investigation.

The first-tier Harju County Court found him guilty of enabling illegal access to state secrets and sentenced him to two years and four months, six months of which were to be served immediately and the rest not required if he did not commit a new offense within a probation period of two years and six months. Gontšarov didn’t appeal.

Gontšarov had worked in different positions in the security police between 1994 and 2011. In September 2011 he took home various documents and data storage media that were in his hands in connection with his job. He kept them in the apartments he owned in Tallinn, thereby allowing the materials to be unlawfully accessed by persons not cleared for access to state secrets.

From the wording it reads that Gontšarov did not deliberately leak state secrets to third persons. Then the question is who were the persons that got the access. Random relatives of Gontšarov or Russian intelligence officers?

KAPO annual review 2016 mentions the case:

According to the court judgement, before leaving employment in September 2011, he took documents and data media containing state secrets, which he had in his possession for work-related purposes, out of the Internal Security Service’s secure area. He kept them outside of the secure area, in the apartments he owns in Tallinn, thus enabling unauthorised people without a need to know to have illegal access to state secrets.

And provides picture of boxes full of Estonian state secrets lying about the household of Alexander Goncharov:


Security system of president’s new residence publicly available on the Internet


Drawings of the security systems of Estonia’s new presidential residence in the Rocca al Mare district of Tallinn were for four days publicly available on the internet, news of the public broadcaster ERR reported.

The state real estate management company Riigi Kinnisvara AS (RKAS) that launched a tender for the renovation of the residence uploaded in the register of construction tenders the entire project documentation which among other things revealed the positions of movement sensors and surveillance cameras, how many household members would be given panic buttons with direct connection to the police, and where runs the cable the breaking of which would cut off electricity supply to the residence.

RKAS said in response to ERR news that surveillance cameras are only one part of the complex security system of the residence and that the project documentation did not include the part of the system classified as a state secret.

But spokeswoman for the Internal Security Service (ISS) Agnes Suurmets-Ots said such information definitely ought not to be publicly available. “We have to admit that it poses a security threat once such information has become public in a very regrettable way,” she said. The spokeswoman said she cannot at this point offer a comment on the measures that will be taken, but ISS certainly does not agree with RKAS chief’s opinion that the leak does not represent a security threat.

Access to the documents concerning the security of the residence has been restricted by now.


Sensitive information related to cyber security will be classified as a state secret


The amendments in the State Secrets And Classified Information Of Foreign States Act, which will define a state secret any classified information related to cyber security or critical information infrastructure protection, will increase number of officials who will have access to state secrets and their responsibility towards their employers.

Estonian Internal Security Service (KaPo) is responsible for maintaining information about people with state secrets clearance.
“KaPo has never disclosed how many people exactly have the right to access the state secrets and classified information of foreign states. It is clear that these (cyber security) persons now will also need the access, but precise number we will not disclose.” said KAPO spokesman Harrys Puusepp.

“The need to access state secrets is always derived from the particular job description, it is not granted for fun. The employer’s primary responsibility is to protect state secrets, and now he will also have a sufficient possibility to do that. The amendments to the Act will certainly help to do that.” added Puusepp.

According to Interior Ministry spokesperson Toomas Viksi the amendments of the Act primarily concerns employees of Estonian Information System Authority (EISA).

The head of EISA PR department, Rauno Veri said that today EISA staff already have the necessary clearance thus the amendment will not raise the number of people eligible to access the state secrets.

In mid-December the government passed a draft making an obligation for officials having access to state secrets to inform about their private trips abroad. The list of countries will be established by the Ministry of the Interior. Viks noted that the obligation to notify will not apply to European Union, the Schengen Agreement and NATO member countries.

Additions to the current version of the State Secrets And Classified Information Of Foreign States Act:

Paragraph 10  [list of State Secret subcategories] is amended by clause 9 as below:
EISA risk assessments, monitoring data, information gathered during supervisory actions about critical vulnerabilities in information systems; to the extent that such information contains technical data on the critical vulnerabilities of the information systems of: constitutional institutions, government agencies and their subordinated institutions; vital service providers, international organizations which security is provided by Estonia; and, if the revelation of such information to the irrelevant parties could raise the risk of a security incident in these fields, except such information, which, if revealed, will not endanger the security of the Estonian Republic; such information will be classified up to 10 years on “restricted” level.