Massive data leak: Ukrainian IDs, other documents exposed by years of cyber negligence

Shoddy cyber security at Ukrainian vehicle inspections has exposed hundreds of thousands of personal documents for the past four years.
Largely scans of passports, taxpayer identification numbers, driver's licenses and vehicle registrations, the documents span a broad stretch of Ukrainian geography and demography. Mostly, they identify people who were buying or selling used cars internationally.
Up until April 1, the documents were available, unprotected and unencrypted, on a server of one of the largest cloud storage providers in the world that, though tough to get to for regular users, is easy enough to find for bad actors.
'If it hasn't already been accessed, it's just a matter of time before it is and can be abused to ruin a lot of people,' says cybersecurity and access management specialist Jake Dixon, who spotted the documents. 'And I know that there are teams of people in Russian intelligence and Russian cyber commands that are looking for stuff like this.'
The earliest documents date to the start of 2021. Dixon found them and informed Ukrainian authorities back in April 2022, but said it went nowhere. Only now, three years later, once contacted by the Kyiv Independent, authorities appear to have started securing them.
The documents in question currently number 992,978. They all seem to come from vehicle inspection sites, which check and certify used foreign cars sold into Ukraine. Ukrainians buy upwards of 300,000 such vehicles per year, per Interior Ministry data. Documents gathered for those vehicle inspections form the core of the database.
Many of the documents are relatively harmless, like photos of cars and receipts for transactions, or certifications themselves. But the database includes core identifying documents like passports and taxpayer cards (similar to a U.S. Social Security Card) for likely tens, and possibly hundreds of thousands of Ukrainians, as well as foreign entities who sold cars into Ukraine. Unprotected, it was a ripe target for identity theft. There is no way of knowing the extent to which it has been accessed or what data has been taken from it.
As of publication, the most recent batch was uploaded on March 11. The earliest documents date back to the beginning of 2021. On April 1, 2025, what seems to be all of them were taken private.
The data leak comes as Ukraine has been — in theory — on high alert about cyber security for over three years.
Formerly public data for many Ukrainian services have gone dark since Russia's full-scale invasion. This is in large part out of concerns that Russian intelligence or hackers will use information from sources like property registries to locate, blackmail and extort Ukrainians.
At the same time, personal data of thousands of Ukrainians have been endangered through what appears to be sloppy security at vehicle inspections centers. The centers are private businesses certified by the Ministry of Development of Communities and Territories that provide inspections of the condition of a car — a government requirement when a car is brought into Ukraine from abroad.
The cloud storage provider in question is regarded as a highly secure system for data management. However, that is not the case when the data collected is not protected by basic security like a password. For obvious security reasons, the Kyiv Independent is not including links to the cloud server containing the documents in question.
However, it's relatively easy for individuals with fairly cheap specialty software to navigate it and find the documents. Dixon himself located the bucket using software that scans for sensitive data left vulnerable, software that he says certainly exists in Russia and elsewhere.
Scanning for unsecured personal documents has been 'a risk since people started moving to the cloud. It's something that threat actors actively watch,' says Dixon. 'I would be surprised if it hasn't been discovered by someone else in the frame of time since I discovered it. And they're still uploading files to this container.'
The way the data in question is arranged makes it more complicated to use en masse, or search through for names of specific people listed. It is, however, easy to go through and find individual identifying information for random individuals.
'I think there was a drive for digitization and this (system) just got pushed because someone needed access to this data quickly, and then some connection got opened, some configuration got changed. It's just been sitting there ever since, collecting,' Dixon described the exposed batch of documents.
Dixon warned Ukrainian cyber authority the Computer Emergency Response Team of Ukraine, or CERT-UA, of the exposure back in 2022, per emails reviewed by the Kyiv Independent. After responding to Dixon asking for more information, CERT-UA went quiet for, apparently, three years.
Anton Kobyliansky, a representative for the State Special Communications Service which oversees CERT-UA, told the Kyiv Independent that the responsibility for both was 'cyber incidents,' which did not include this leaked data. Kobyliansky said this data was likely the responsibility of the Ministry of Digital Transformation and declined to comment.
The Ministry of Digital Transformation is the agency that launched Diia, a mobile application that digitizes government services and documents. Announced in 2019, Diia launched in early 2020 with passports and driver's licenses the first documents to be digitized. Viktoriia Savchenko, a representative for the Ministry of Digital Transformation, similarly denied her agency's responsibility for the data involved.
The documents come from a number of privately-owned Ukrainian vehicle inspection centers, almost all relating to government-mandated certificates for the import of used vehicles. A number of phone numbers for service centers listed including Center Auto and AutoTechnoServis were dead.
A staffer for Euro-Center, one of the inspection centers that appear most frequently in the leak, did not return a request for comment when reached. The contact number for another servicer, VK-Auto, hung up on the Kyiv Independent, when asked about the data leak.
The government authority licensing the vehicle inspections stations is the Ministry of Development of Communities and Territories, previously called the Ministry of Infrastructure. When reached, Ruslan Kyrychenko, head of the Technical Regulation Department of the Road Transport and Safety Department within the ministry, said: 'We note that the vehicle inspection centers do not report to the Ministry of Development.'
Currently, Ukrainian government data is heavily centralized. A hack that came to light in December took the bulk of Ukraine's federal government registries offline for weeks, stalling services ranging from incorporation to vehicle sales to marriage registration.
Responsibility for that government data is, however, thoroughly dispersed.
The Kyiv Independent contacted the relevant authorities on March 26 — including the above, representatives for Ukraine's State Security Service and the Ministry of Justice.
All denied ownership of the data. Yet, after repeated follow-up, the data on the server began to go private on April 1, 2025 — just shy of three years after Dixon, an Irish national living in Estonia, first reported the problem to Ukrainian authorities. As of publication, none of the officials contacted would acknowledge involvement in taking the data offline, but someone was clearly responding to inquiries.
'Sloppy,' says fellow cybersecurity specialist and sometimes hacker on behalf of Ukraine Karla Wagner, upon reviewing the open data. 'There's a high probability that someone set this up in a hurry, perhaps even deployed a demo, with data replication turned on by default, and they didn't take the time to secure it.'
It is not complicated to make one of these databases private, or guard it with a password.
'These days, whenever you go into that configuration, it comes up with a big warning saying, 'do not leave this as public' because of how many times this has occurred for people,' says Dixon.
'It shouldn't be open like this, especially in a time of war.'
Hi, this is Kollen, the author of this article. Thanks for reading. Ukrainians' responses to Russia's invasion showcase a society that is deeply resilient and inventive, despite pullbacks in aid. If you like reading stories highlighting those features from on the ground, please consider supporting our work by of the Kyiv Independent.
Read also: '89 hours of non-stop work' — Ukrainian Railways' battle against a cyberattack by 'the enemy'
We've been working hard to bring you independent, locally-sourced news from Ukraine. Consider supporting the Kyiv Independent.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

New York Post

14 hours ago

• New York Post

Panthers disprove popular analytics narrative with their Stanley Cup win

Why are all the spreadsheet folks, who have lectured all of us for years that teams cannot win the Stanley Cup if they are paying their No. 1 goaltender at least 10 percent of the cap, so silent now after the Panthers have gone back-to-back with Sergei Bobrovsky in the net? Bobrovsky, who has completed the sixth season of his seven-year deal for $10 million per, shares the distinction with Aleksander Barkov as Florida's highest-paid player. A year ago, Bobrovsky accounted for 11.976 percent of the cap. This year, the 36-year-old Russian accounted for 11.363 percent of the cap. (Igor Shesterkin will account for 11.518 percent of the cap when the 29-year-old's eight-year extension at $11M per kicks in July 1. If the Rangers do not end the three-decade-plus drought during Shesterkin's tenure, it won't be because they invested too much into their franchise goalie.) And though Connor McDavid won the Conn Smythe last year before Sam Bennett was named the playoffs MVP this year, Bobrovsky was the ultimate difference maker each time around. There have been exceptions to the rule, but the notion that legit contenders can get by with middle-tier netminders has always been patently absurd.

Boston Globe

16 hours ago

• Boston Globe

Ukraine warns teenagers the enemy is inside their phones

Advertisement Think of this class, in a secondary school in the western city of Lviv, as the Ukrainian version of 'Scared Straight.' The course, introduced this spring by Ukraine's top internal security agency and the national police at high schools nationwide, aims to deter teenagers from falling under the influence of Russian operatives. They have started paying Ukrainian minors to set fires or plant homemade bombs, Ukrainian authorities say. 'I remind you that criminal responsibility in Ukraine begins at 14 years of age,' said the camouflaged man at the presentation on a recent Wednesday. 'Unfortunately, this easy money can lead either to criminal liability or to death.' For more than a year, Ukrainian authorities say, the Russian state security agency, known as the FSB, has targeted Ukrainian teenagers on social media apps like Telegram, TikTok and Discord. They are offered hundreds or even thousands of dollars to do simple tasks: Deliver a package. Take a photograph of a power substation. Spray graffiti. Advertisement The FSB did not respond to a request for comment for this article. Many young people do not necessarily know they are being recruited. The Security Service of Ukraine, known as the SBU, says the teenagers often just search for 'easy money' on Telegram, where the Russians are waiting for them. But some agree to more complicated missions, often because they were blackmailed for the first task they performed, or for compromising photographs hacked from their phones. The SBU said late last month that authorities had accused more than 600 people of trying to commit arson, terrorism or sabotage in Ukraine after being recruited by Russian intelligence services. Of those, about 1 in 4 were minors. (The adults often had criminal records or a history of drug abuse.) One perpetrator was only 13. In May, the head of the national juvenile police said in a TV interview that almost 50 other children had reported to authorities that Russians had tried to recruit them. Since Russia's full-scale invasion of Ukraine in February 2022, both sides have engaged in clandestine warfare. Ukraine has recruited people in Russia for targeted high-level killings, law enforcement sources said. For instance, the Ukrainians claimed responsibility for assassinating a top Russian general and his aide with a bomb planted in a scooter in December. But with the recruitment of young Ukrainians, the Russians are taking a new step by aiming for more indiscriminate attacks, near military recruitment centers or railway stations, said Roksolana Yavorska-Isaienko, an SBU spokesperson for the Lviv region. It is reminiscent of how teenagers were used as suicide bombers in Afghanistan, Pakistan and elsewhere. Advertisement In December, the news in Ukraine was filled with reports of a significant case. The SBU and the national police detained two groups of teenagers in the eastern city of Kharkiv who they said had been tricked online into joining a fake 'quest' game, in which the 15- and 16-year-olds were sent tasks like setting fires and taking photographs and videos of certain targets, even air defenses. Ukrainian authorities said the Russians used the information to carry out airstrikes in Kharkiv, the country's second-largest city. These claims could not be independently verified. During the class, the camouflaged agent and Yavorska-Isaienko went through other examples, one by one. In March, in the case that resonated the most with the students, a 15-year-old and a 17-year-old were recruited on Telegram in the western city of Ivano-Frankivsk with the promise of $1,700, Ukrainian authorities said. Following instructions, the teenagers built two bombs out of thermos flasks and metal nuts. When they tried to deliver one of the bombs, authorities said, Russian agents detonated it remotely near the train station. The 17-year-old was killed, and the 15-year-old lost his legs. In April, the SBU caught a 17-year-old and an 18-year-old who burned train relay boxes in Lviv. They were recruited on Telegram, authorities said. Searches of their cellphones showed text messages between the teenagers and their Russian handlers. 'Yeah, the money will be there tomorrow,' the handler wrote, adding that it would arrive around lunchtime. 'Got it, bro,' one of the teenagers responded. Eventually, about $178 was transferred to his account. And in May -- just three days before the class -- two teenagers in the western city of Rivne made an explosive device from Russian instructions, put it in an abandoned building, positioned an ax there and covered the whole contraption with paint, authorities said. Then they called emergency services, claiming there was a dead person. After the police responded, the bomb exploded, but no one was harmed. The teenagers were arrested. Advertisement The recent class was about the 200th that the agency has done in the Lviv region since the outreach program started in April. The presenters knew how to hold the teenagers' attention. 'Maybe not all of these special operations are reported in the media -- but believe me, the enemy is not sleeping,' Yavorska-Isaienko said. 'They are working actively and carrying out illegal activities, as strange as it may sound, directly inside your phones.' She added, 'And when you hear an offer to earn quick money for a brand-new iPhone or $1,000, of course, it sounds very tempting. Sometimes, the task is disguised as a simple courier delivery, taking pictures of critical infrastructure or spraying provocative graffiti. That is often the first step toward your recruitment.' This classroom in the Lviv secondary school No. 32 resembled a typical science classroom in the United States, complete with creaky wooden floors; a poster of a tiger on the wall; models of DNA and lungs in the back; and teenagers in hoodies and jeans, heavy-metal T-shirts and a Barbie sweater. But these students did not make jokes or whisper the way many teenagers do. They asked questions: How did the Russians do surveillance? How could they help fight the FSB? These students had grown up with the war against Russia. Relatives were fighting on the front lines. One girl's uncle was missing. Advertisement 'Can I help and report it to the security services if I've already been approached for recruitment?' asked Volodia Sozonyk, 17, a boy in a blue hoodie and a manga T-shirt. 'If they've sent me an address or something I need to do, can I identify that spot for your operatives to help?' Yavorska-Isaienko and the camouflaged man told the students they could anonymously report any recruitment attempts to a new chatbot called 'Expose the FSB Agent.' And Yavorska-Isaienko told the students to use their common sense. 'No one in real life will suddenly offer you $1,000 or $2,000 just like that,' she said. 'You need to understand: The only free cheese is in the mousetrap.' This article originally appeared in

New York Post

18 hours ago

• New York Post

Deadly Russian assaults on Ukraine continue as date for new peace talks nears

At least one person was killed in Ukraine Friday night as Russia continued its unrelenting attacks, despite both parties reportedly inching closer to a new round of peace talks. A barrage of more than 20 Russian drones rained down on residential areas in the Ukrainian port city of Odesa and the northeastern city of Kharkiv overnight, according to officials. One civilian was killed and almost two dozen were injured, including two girls — 12 and 17-years-old — and three emergency workers. The strikes sparked fires that caused the partial collapse of a four-story apartment building and tore through the upper floors of a 23-story high-rise, leading to the evacuation of about 600 residents. Advertisement 4 Firefighters evacuated residents from a burning apartment building following Russia's massive air attack in Odesa. AP The Kremlin's attack also included 86 Iranian Shahed and decoy drones blasted across the country into Saturday, Ukrainian President Volodymyr Zelensky said in a post on Telegram. 'Russia continues its tactics of targeted terror against our people,' Zelensky said in the post. Advertisement He called on Western countries to keep the pressure on Russia, including through sanctions. 'The sooner the sick people in the Kremlin lose the ability to finance the war, the more lives we can save in Ukraine,' Zelensky said. 4 Emergency responders worked at the site of an apartment building hit by a Russian drone strike in Odesa. via REUTERS In the 24 hours leading up to the nighttime attack, Russia bombarded its neighbor with hundreds more drones and cruise and ballistic missiles, according to Ukraine's air force. Advertisement The attacks followed an assault on Kyiv Tuesday that killed 28 and injured 142 others — marking the deadliest onslaught on the capital city this year. Meanwhile, the warring countries completed another round of prisoner exchanges on Friday, the second trade of POWs and soldiers' remains in two days, though neither side specified how many people were involved in the swap. 4 A kitchen in a high-rise apartment building was destroyed in a Russian drone attack in Odesa. AFP via Getty Images Zelensky said on X that most of his country's POWs had been held by Russia for more than two years, following their full-scale invasion of Ukraine in 2022. Advertisement The oldest of the released captives was 63 years old and another, a 45-year-old service member, was released on his birthday, Ukrainian negotiator Dmytro Lubinets said. Zelensky also charged Russian President Vladimir Putin with using the return of the dead to obscure the scale of its military losses from the public, the Kyiv Independent reported. 4 Residential buildings, businesses, civilian infrastructure and cars were wrecked in the overnight attacks, officials said. AFP via Getty Images At a press conference Friday, Zelensky said authorities confirmed that at least 20 of the bodies returned as Ukrainians were actually Russian soldiers. The two countries have carried out a series of swaps since renewing peace talks, which in Istanbul last month. The last negotiations were held on June 2 and though Kyiv has not spoken recently of them resuming, Kremlin spokesman Dmitry Peskov said Friday that the date for the next round is expected to be agreed upon this coming week. With Post wires