Massive Data Leaks In Albania Highlight National Cybersecurity Shortcomings

Data leaks and cyberattacks are becoming increasingly frequent in southeastern Europe. One of the more recent examples is a data leak from Albania, which compromised the personal data of several thousands of Albanian citizens. This is also not the first data leak in the country; a similar incident took place shortly before the elections in April. Such occurrences call for the revision of existing measures to protect personal information, improve cybersecurity strategies, and understand the role of the different sectors involved in data protection.

Towards the end of this month, a database with “private information of … salaries … job positions, employer names and ID numbers of some 630,000 [Albanian] citizens, from both the public and private sectors” started to circulate online, Balkan Insight reports. A similar database, which contained “private information and comments on political preferences,” was circulated in April.

The leaked data itself can be sold on the black market “for between $1 and $5 per record, depending on the information held” from each person, leading to identity theft, according to Exit News Albania. The data can then be used to access personal accounts and social media, or “by private companies that may wish to target individuals for advertising, monitoring, social media targeting, and more.”

The individuals affected are at risk for as long as the data is openly available. Fabian Zhilla, a security expert based in Tirana, told Balkan Insight that with these data leaks, “the public loses trust in public institutions and the loss of trust is directly related to the cooperation that citizens should have with institutions.” If this threat is not addressed, “citizens will be exposed and blackmailed and this includes employees of important state institutions.”

An I.T. expert told Exit that Albania “must renew IDs of all people if it wants to create trust in public institutions, despite the huge costs associated.”

Enri Hide, a security expert and professor at the European University in Tirana, called the leak “an open threat to the national security” and added that it “shows the weaknesses of Albania’s cyber-security infrastructure [and a] lack of a response plan in such cases.” The consequences have implications not only for the people, but also for the private sectors, the military, national intelligence, and security. “Cyber-security must be taken seriously [via new strategies and] a clear protocol of what should happen if we have such leaks,” Hide says. While the country does have cybersecurity strategies, there are still gaps to be addressed – including the lack of a firm response to the leak – and the data leak demonstrates the urgency of the need to address those shortcomings.

Various Albanian government officials have provided commentary on the issue. The opposition Democratic Party condemned the “extraordinary scandal” and accused the Socialist government of failing to protect citizens’ private data, while Prime Minister Edi Rama called it “an attempt to create confusion and to foster instability.” Meanwhile, there is yet to be a firm response to the data leak. Instead of focusing on their disagreements, Albanian political groups must instead focus on addressing the causes of this data leak and the possibilities of other forms of attack and protecting the country from further data leaks.

There is no single factor that creates cybersecurity shortcomings in the country, but points to consider include the level of cooperation between national institutions addressing these issues, current strategies, and the development of cybersecurity in neighboring countries. Given the levels of connection between Albania and its regional partners, in part due to globalization, any vulnerable links in one country can put the rest of the region at risk. Even if Albania has more robust cybersecurity strategies than its neighboring countries, it is still at risk. Therefore, one potential solution to data leaks in Albania is to increase cooperation and strategies between countries in the region. This allows for cooperation on similar goals and the advancement of more robust strategies that can be promoted and revised as needed. Also, cooperation between national institutions and the public and private sectors will be beneficial in promoting and further developing cybersecurity strategies, such as the 2020-2025 plan.

Zhilla additionally suggests setting up “a commission . . . at the ministerial level, perhaps with the request of Parliament to make a better assessment of the protection protocol, the measures related to the status quo of the infrastructure that the official institutions have today to protect the personal data.”

These strategies will not make Albania or southeast Europe immune to data leaks, but in the event of one, they would serve as additional measures of preparation and mitigation.

These data leaks have consequences, not just for national security, but for Albanian society as a whole. The leaks’ effects on both public and private sectors call for additional co-operation between these sectors, along with national agencies that work on these issues. This cooperation will allow for coordinated responses to mitigate data leaks, protect citizens’ data, and assess risks to understand what needs to be done.