Hacker Steals Government ID Database for Argentina's Entire Population

A hacker has breached the Argentinian government's IT network and stolen ID card details for the country's entire population, data that is now being sold in private circles. The hack, which took place last month, targeted RENAPER, which stands for Registro Nacional de las Personas, translated as National Registry of Persons. From a report: The agency is a crucial cog inside the Argentinian Interior Ministry, where it is tasked with issuing national ID cards to all citizens, data that it also stores in digital format as a database accessible to other government agencies, acting as a backbone for most government queries for citizen's personal information.

Boy...I can't wait...

[cayenne8]

...for the US to get one of these national ID and databases.

I mean, the SS one is not nearly bad enough, this new one could add biometric and more info and be MUCH more risky like in Argentina.

Re:

[timeOday]

Ok but that's a one-sided analysis without weighing against the downsides of the status quo.

Re:

[cayenne8]

Ok but that's a one-sided analysis without weighing against the downsides of the status quo.

Ok...care to list a few of those downsides?

Re:

[wakeboarder]

No, you have this all wrong... The government can take care of your data. Nothing could go wrong.

What could possibly go wrong?

[shanen]

Well, I guess this is the branch I was looking for, but without the obligatory joke. What's with all the vacuous Subjects? Just the "grab FP" pressure? But the original Subject was only marginally worse than mine, because I'm not actually joking. I'm going to try to address the "What".

There's too much focus on the "stick" side of personal information abuse. It's easy to see how people can be threatened with the disclosure of their negative information. And of course governments collect lots of negative info

Re: Boy...I can't wait...

[flyingfsck]

Donâ(TM)t worry citizens, the gov still has all the data, it did not disappear. The hackers only made a copy.

Re:

[NotEmmanuelGoldstein]

... the US to get one of these national ID ....

A 2008 US law allows your driver's licence (or proof-of-age Id.) to be a federally-approved identity card. Many states have refused to enact the verification procedures required.

Re:

[MBGMorden]

The choice is that we need to somehow get to a system where you can't do so much damage with personal information, because it's being proven time and again that it's not a matter of if, but rather when it gets leaked.

I don't have a solution, and I'm not even sure one is possible, but the current system isn't working. It really doesn't even matter outside of passwords most of the time. When your information gets leaked its probably not the first time that it has happened, nor will it be the last.

Re:Gotta issue new IDs

[ctilsie242]

There is a solution, but it is something not going to happen with a data hoarding mindset. You go with a certificate based system:

First, you have a smart card. This could be an ID card, cryptographic token, phone... anything with a secure processor. From there, you have government organizations sign the card with info, and their certificate. Since the public cert is common, validation of this ID can be done offline without any need to connect anywhere.

For example, if a user is over age 21, the government signs their ID with that fact. Then, at a bar, all it takes is some way to verify the ID belongs to the person claiming it, and then check the cert. No other info is needed. No name, no address... done. This can be done with degrees, so someone can be validated to have a college degree, but other info than that isn't stored, or needed.

Problem is that governments love data, and love piling it in one place which is a sweet, sweet trove, a ton of eggs in a basket, waiting to be "harvested". To boot, governments really have no stake if the data is compromised, because it doesn't affect them in any way, other than perhaps compromising national security later on when enemy nations use that info for blackmail, extortion, or connecting the dots and finding spies... but politicians don't really care about that, since a massive attack from an enemy isn't directly going to affect their career, for the most part, and they are world experts at kicking the can and passing the buck.

By segmenting things, it would be a lot harder to get data on people.

Re:

[Editorial Failure]

A reasonable first approach but not quite enough because it still assigns a recordable unique tag that can be hoarded and added to. So you'll still get heaps of data from which full identities can be distilled. You rightfully point out that governments like their data-hoarding. It is worth remembering that giving everyone a surname and setting up a registry was originally a way for Napoleon to keep tabs on his political enemies. Later governments thought it was mighty convenient too so they kept it. The fac

Re:

[fustakrakich]

First, you have a smart card.

That is a show stopper

anything with a secure processor.

No such thing

Re:

[VeryFluffyBunny]

> ...anything with a secure processor. -- Yep, you beat me to it.

Re:

[cayenne8]

There is a solution, but it is something not going to happen with a data hoarding mindset. You go with a certificate based system:

Here's a question that will put forth a solution.

WTF do you need a National ID at all?

We don't have one here in the US (so far)...and it works out just fine.

The govt has no need to track and trace and collect all sorts of info about you as a citizen.

It needs to know some things, but PRECIOUS LITTLE.

Re:

[jeff4747]

We don't have one here in the US (so far)...and it works out just fine.

50 different state ID cards + an SSN is just a national ID card with extra steps (and costs).

Especially since those 50 states are now sharing information via a national database.

Re:

[VeryFluffyBunny]

We have national ID cards in Spain & in many other EU countries. We also have digital IDs. These make doing stuff like proving your identity & home address to open bank accounts, buy big items, rent homes & expensive stuff much, much easier. With the digital IDs we can do pretty much all of our govt bureaucracy online in minutes instead of making appointments & hanging around in COVID-19 & flu infested waiting rooms for hours. Also makes life easier for the police, e.g. if they need to f

Re:

[kaur]

Another European here, from Estonia.
We have had a similar system since 2002. Started with chip cards, now works with mobile phones. Works like a charm. No abuse has been recorded, even though there have been some theoretical attacks.

Europe has regulation, standard and certification for such identity solutions since 2014:
https://en.wikipedia.org/wiki/... [wikipedia.org]
It establishes several different assurance levels, requirements for everything from chip cards to audit procedures, etc. And it is mandatory for the member s

Re:

[kaur]

I have many expat friends living in Estonia. They constantly praise us for for the simplicity and efficiency of our public services. Part of this is ease of access. Anything that can be done online is done online. No queues or waiting in line till the office finishes its lunch break.

And this extends to private sector / services as well. Need to sign your child into a sports club? Check his grades in the school or see what's up for the homework? Pay your phone bill or dispute a car parking ticket? All online

Re:

[kaur]

Heidegger's "Die Frage nach der Technik" is discussing the same issues. And I am not saying that you are wrong.

Re:

[VeryFluffyBunny]

"The Netherlands" in the USA, right? Right next to QAnon-ville.

Re:

[account_deleted]

Comment removed based on user account deletion

and what about loans and other stuff are they wipe

[Joe_Dragon]

and what about loans and other stuff are they wiped out or does some one need to do an hard and long audit

Re:

[schwit1]

What would be different with a new ID?

Re:

[fustakrakich]

It will invalidate the old ones

Re:

[VeryFluffyBunny]

Don't put everyone's ID info into a single centralised database, i.e. put all your eggs into one basket. A distributed system with common standards to exchange data from one region to another when required would make such a catastrophic failure unlikely. This is what Spain opted to do with its medical records database system. Not sure how Spain does it with its national ID system but more than likely it's also distributed.

Re:

[fustakrakich]

Yeah, we have 50 states, and they are broken down into counties, all easily connectable. But we still need some form of ID that is human readable without anything more than plain old daylight, or a whale oil lamp. We don't want people being held because "the network is down"

Re:

[VeryFluffyBunny]

Re: "But we still need some form of ID that is human readable..." -- I've never seen one that isn't.

Was the translation really necessary?

[Viol8]

If any native English speakers cant figure out what Registro Nacional de las Personas means then they should probably stick to reading Reddit instead of a site like this that requires an IQ larger than a shoe size.

Re:

[VeryFluffyBunny]

What's an IQ? Is it like QAnon?

Most information was already public

[juancn]

I'm argentinian, the ID numbers are treated as public information mostly, it's like someone knowing your name. We don't use them for authentication.

Even addresses and credit status are usually on the public record.

Since voting is mandatory, there's a list (padrón electoral) that already has all that data and it's mostly public (it has id number, name, gender and last known address).

Heck if you go to the central bank you can query a bunch of stuff about people and companies [bcra.gob.ar] with the CUIT/CUIL which is the ID number plus some disambiguation used for tax purposes.

As an example, you can check Messi's status here [cuitonline.com] (his CUIT is 23330162449, and his ID number 33016244) or go to the central bank and check his credit history in Argentina using the CUIT.

It won't be very interesting because he hasn't been here mostly.

The main concern would be that some of the rushed apps made during the COVID pandemic, sometimes require a number that's normally only on your ID card or on the RENAPER as a pseudo authentication, but the security issue is with those apps, in any case you can't do much with them other than look at some information.

Re:

[VeryFluffyBunny]

Yep, pretty much the same here in Spain. I think in the USA they treat people's social security number as if it were some kind of secret authentication code, when in fact, it's pretty easy information to get hold of. Results in a lot of financial fraud & identity theft. The USA has really gotta find a more secure way to do their personal authentication.

Re:

[cowdung]

Yeah.. you'd think the US could have a safer authentication mechanism than a public number that you have to keep giving out to people for different reasons.

Re:

[cowdung]

Yeah. I'm kind of surprised a hacker was needed.

I'm in a neighboring country and the "national ID database" circulates between programmers for their apps. Also, it's available online right now.

So I'm not sure what great accomplishment these hackers achieved.
If I were them I'd be covering my face with my black hat right now to escape the public embarrassment.

Your ID is stolen

[Archangel Michael]

Time to make those companies assume that your data is stolen, and stop identity thieves from having personal identifying information and demand actual evidence that you are a real person, not just someone who bought your stolen info on the dark web.

ZERO TRUST works because it is not convenient, and convenience isn't secure

Interesting facts from the first sighting

[Dirk Becher]

- 0.000002 % of the population are popes
- Argentinians are 50% male and 95% female
- Instead of an address they just store your distance to Buenos Aires