Personal data a multimillion-euro business

The cases of leaked personal data that have been reported over the past few months are just the tip of the iceberg 25 Jan 2013

Lina Giannarou, Yiannis Souliotis & Prokopis Hadzinikolaou

From: Neoskosmos.com

The cases of leaked personal data that have been reported over the past few months are just the tip of the iceberg, according to experts who say that the sale of private information such as the tax records of unwary citizens has become a multimillion-euro business and is taking place right under the noses of the Greek authorities. The crisis, they add, has also led to lax security regarding public service and ministry databases, meaning that the phenomenon is most likely to see an additional rise.

From the Lagarde list and the off-the-books accounts of high-ranking civil servants, to the catalogs of the Athens Bar Association and the database of a vehicle inspection center (KTEO), there is no end to the gold mine of personal information that is available to the skilled hacker or audacious briber.

Entire companies, as well as individual “entrepreneurs” can put together information gleaned about an individual’s personal habits, finances and social activities to create a profile that can be used for product or service promotion, as well as more nefarious goals.

The demand for personal data is so great that companies are opening up all over the country dealing exclusively in their collection and “management.”

“In short, they buy and sell CDs of information,” a source in the business, who declined to be named, told Kathimerini.

These companies claim that the information they collect is on public record, such as from the Athens Doctors’ Association or the telephone book. However, according to the regulations of the Authority for the Protection of Personal Data, even when information is a matter of public record, the person to which the information belongs must give his or her consent before it is disseminated.

According to Vassilis Sotiropoulos, a lawyer who specializes in personal data protection, the collection of such information is allowed without the consent of the subject only when the subject is a public figure and is for the purpose of journalism or for conducting a criminal investigation.

“Even then you would need the authority’s approval,” said Sotiropoulos, adding that “under no circumstances would permission be given to a data collection company. Overall, Greek legislation is very strict about such matters.”

Special permission from the authority is also necessary for the collection and use of sensitive personal information, such as medical records, said Sotiropoulos, while an Athens court last month ruled in favor of a man who had filed a suit against his bank because it shared his personal data with a debt collection company without first getting his approval.

The crisis has given new momentum to the business of selling data, with tax records leading in popularity, according to experts, who say that indebted households and individuals are increasingly being targeted by collectors and other potential creditors using confidential data to gauge their approach.

The crisis, experts add, has also created a massive gap in security.

“The public sector is in a dramatic state in terms of security systems,” the CEO of security firm Obrela, Giorgos Patsis, told Kathimerini.

“As though the problems of overlapping responsibilities for security between ministries and poorly trained employees were not enough, the crisis has pushed security down to the bottom of the list of public services’ priorities,” Patsis said. “For example, there hasn’t been a single competition for companies to provide a data security system for at least two years in the state sector.”

Patsis says that almost anyone with the right know-how can infiltrate the databases and records of public services and download as much information as they want.

“And it’s not just the problem of hackers either,” said Patsis. “In fact, public records are most at risk from human error. All someone has to do is leave a door open and crooks can get their hands on valuable records.”

Cost of information from 200-1,000 euros per item

Officers working for the police’s electronics crimes squad say that the biggest case of private data theft they have cracked was earlier this month in Dafni, eastern Athens, when they arrested a man who was in possession of over 100 million records pertaining to individuals and companies.

The 59-year-old suspect has pending convictions over tax evasion, while authorities are also seeking his 31-year-old son, who was the president of the company for which the data collection was taking place, as well as a 35-year-old computer technician who worked for them.

Another suspected accomplice was also arrested in Exarchia on January 16.

The records found by officers in the Dafni offices of the company, which had a staff of 38, are believed to have come from the ministries of Finance, Transport and Interior, while the number of records is estimated at 110-120 million. Among the information siphoned from the Finance Ministry’s General Secretariat of Information Systems are the names of people who owe money to the state and property owners, as well as millions of property registration and income declaration codes. From the ministries of Interior and Transport, the company was able to get detailed information pertaining to registered car owners as well as registered voters.

The data were stored in three separate servers and could be cross-referenced, while any of the employees could type in the name of an individual in the system and have access to all of the information gathered on him or her.