Estonia: Public ID Codes Fuel Fraud – Calls for Greater Privacy

Millions of euros have been stolen this year as criminals exploit publicly available personal identification codes in Estonia, raising concerns about data security and the ease with which fraudulent activity can be carried out. The issue highlights a growing global vulnerability as more personal information becomes accessible online.

Authorities say fraudsters have gained access to over 1,000 accounts on the “eesti.ee” state portal, Estonia’s central platform for public services. Criminals are increasingly leveraging publicly accessible information to commit crimes, and in some cases, are even purchasing data from compromised databases on the dark web.

The Estonian Commercial Register has become a valuable resource for criminals seeking personal data, including names, identification codes, and phone numbers. With this information, they can attempt to access individuals’ online banking, though a PIN code is also required to complete transactions. According to Rain Vosman, Head of Criminal Police at the Southern Prefecture of the Estonian Police and Border Guard Board (PPA), criminals consistently seek to utilize internet-accessible data to build a comprehensive profile of potential victims.

On December 18, police reported that criminals had accessed state service accounts using electronic identity and fraudulently obtained PIN codes. Vosman explained that the goal is to gather data for further fraudulent schemes, building trust with individuals before attempting to steal money. “If a criminal already has access to a person’s identification code and phone number, they can call and, through manipulation, obtain the PIN1 code, which allows access to the ‘eesti.ee’ account, where a wide range of sensitive information is available,” he said.

The situation could be improved by concealing identification codes from publicly available information, as the less data accessible to criminals, the better, officials say. The European Union’s General Data Protection Regulation (GDPR) allows member states to individually determine whether identification codes are publicly accessible.

Currently, several Estonian laws regulate the public availability of identification codes. Kristi Värk, Head of the Data Protection Department at the Estonian Ministry of Justice, stated that personal data in Estonia is often made public to ensure transparency. However, the ministry issued guidelines to other ministries in the autumn, recommending that regulations be enshrined in law. Värk added that disclosing personal data constitutes a serious infringement on fundamental rights, as practically anyone can access the data, and individuals lose control over it. She emphasized that while there are cases where publishing personal data is justified, the decision should be made by legislators.

Anna Õuekallas, Head of the Electronic Identity Department at the Estonian Information System Authority (RIA), stressed that all parties involved share responsibility. She noted that providers of electronic services must assess the risks and, if there is a possibility of significant financial loss, re-evaluate the identification tools used and their format.

Vosman acknowledged that everyone can do more to protect themselves, but emphasized that individuals are the weakest link in the fraud chain. “We can make everything as secure as possible from the state or communication companies, but criminals manipulate people into entering codes in the wrong places – places where people wouldn’t knowingly do so from a rational perspective,” he said. The development underscores the importance of public awareness campaigns and robust security measures to combat increasingly sophisticated fraud schemes.

Read also: France discovers spying equipment on ship; Latvian resident also detained

Follow us also on Facebook, Draugiem and X!