Authorities in Uzbekistan are investigating claims that the personal data of at least 15mn citizens has turned up on the dark web.

The situation is raising major concerns over the cybersecurity of government information systems.

Links to dark web and other resources were published on Reddit, along with claims that they provide access to personal data stored by Uzbek government agency information systems. 

The leaked data reportedly may include citizens’ full names, residential addresses, dates of birth, phone numbers, email addresses and passport numbers. 

Some files are also said to contain copies of passports, sick leave certificates and photographs.

"Reports are circulating on social media that personal data of Uzbek citizens have been leaked from some government information systems. An investigation is currently under way and additional information will be provided based on the findings," the Uzbek Cybersecurity Centre said in response to the claims. 

The alleged leak is said to have targeted the government’s OAuth server, the primary authentication system used across the digital government platform. 

The breach is said to have affected multiple agencies and platforms, including universities, political parties, utility payment systems, law enforcement agencies and the Ministry of Internal Affairs’ personnel system. 

The hack also compromised the national agency for social protection’s medical data system, the national statistical committee (STAT.UZ) and the mortgage refinancing company of Uzbekistan (UZMRC.UZ), it is claimed.

A source familiar with the work of the Information Centre, a provider of government systems and services, told Ozodlik on February 4 that the leak was likely related to a technical problem on the id.gov.uz platform.

They were reported as saying: “The leaked data was caused by a vulnerability in id.gov.uz. The API token that id.gov.uz provided to one organisation could be used by another person. This vulnerability is currently being closed.

“It is not true that there was a hacker attack on the tax and internal affairs systems. The internal affairs systems operate in a very closed network, are not connected to the internet and are under control.

“The id.gov.uz system was created by Uzinfocom Limited Liability Company.”

Citizens of the country of towards 38mn have been urged not to disclose personal information and to use complex logins and passwords when accessing government and other electronic systems. 

They were also advised to avoid entering personal data via any links that appear suspicious in any way.

Amid social media discussions suggesting that population and agricultural census data may have been affected, the national statistical committee sought to reassure the public. 

"All data collected during the online population and agricultural census from January 15 to 31 are securely stored in encrypted form on a separate server. There is no cause for concern regarding the security of compatriots' data related to the census," the statistical committee stated.