Even several tens of thousands of email addresses used in Polish municipalities for the exchange of personal data may be located on public, unregistered domains – estimates the Supreme Audit Office (NIK), based on the results of an audit conducted in the Podlaskie voivodeship. Officials used addresses on public domains for sending information such as PESEL number, health status or incomes of clients. As it turns out, there is also a problem in the judiciary and education. Experts argue that investing in cyber security is one thing, but the human factor still plays a crucial role in data security. It is also the weakest link in the system.
“Our data, which are stored and processed in municipalities, are not secure. To put it more precisely, the appropriate level of security of this data is not maintained,” says Paweł Śmigielski, country manager at Stormshield, commenting on a report from the NIK concerning the security of personal data in municipal units in electronic form.
As shown by the audit conducted in 12 territorial self-government units in Podlaskie Voivodeship, there was negligence related to the protection of personal data for many years. The most glaring example was the use of commercial domains for email communication. The scale of the phenomenon is best evidenced by the fact that after the audit, 250 such email addresses were discontinued.
“This should be surprising. A few years ago, we had the so-called email scandal, which involved the head of the Prime Minister’s Office. We say that we should learn from mistakes, preferably based on the mistakes of others. The use of private or pseudo-official mail, because these were official mailboxes run on widely available platforms, is an absolute minimum that should be excluded. The problem was not the low awareness of the officials in the controlled units. The reports themselves contain information that officials corresponded with regional or central government offices. Information appears about the Voivodeship Office, the Ministry of National Education, the Main Statistical Office. It is astonishing that the employees of these offices did not have a red light when they corresponded with people who use private mailboxes,” says Paweł Śmigielski.
Perhaps this was one of the factors that prompted NIK auditors to analyse this problem. It turned out that the risk of similar irregularities occurring throughout the country is very high. The analysis shows that 43% of educational institutions, 32% of public health care institutions, and 28% of social assistance centres use main email addresses in commercial domains, such as wp.pl, poczta.onet.pl, Gmail.com, on a daily basis.
“The authorities were asked why due diligence was not exercised in securing data. Reasons cited included a lack of knowledge and awareness among employees, as well as ingrained habits of these employees. It is mentioned, for example, that some of these mail accounts were set up in 2004, and we can imagine that 20 years ago the awareness of data protection was completely different from today. We had not yet dealt with the regulation on the protection of personal data, but 20 years later these issues should be well known,” notes the Stormshield expert.
Based on NIK estimates, the scale of irregularities may concern several tens of thousands of public institutions and several tens of thousands of email addresses that should not be used for official purposes. The proceedings are to be extended to all local government units in the country, as well as to other units of public administration. According to the data obtained by NIK from nine appellate courts, there may be a similar problem among 88% of translators, 83% of experts, 80% of jurymen, 73% of mediators and 5% of bailiffs. What is of particular concern is not only the exchange of personal data through unsecured accounts, but also the nature of the information.
“The reports provided us with information that officials in this correspondence exchanged personal data such as names, PESEL numbers, health status of citizens, and incomes of individual families in social assistance centres. So, we can say, we were dealing with many sensitive data, the security of which, especially confidentiality, was not maintained,” indicates Paweł Śmigielski.
As the NIK emphasizes, official communication should take place via a dedicated email inbox, and the use of a private mail inbox for official purposes is not a good security practice. It is also worth taking an example from abroad. In Austria, all local government units use the gv.at domain. Meanwhile, in the Czech Republic and Portugal, public institutions are obliged to use their own purchased domains.
“To avoid such incidents, it is necessary to rely on three pillars: people, procedures and technologies. These three pillars should function as one, mutually complementary ecosystem. We should train our employees, especially those non-technical, especially those who do not deal with IT on a daily basis. Training in security awareness, aimed at raising employees’ awareness of current threats and risks related to the processing of data, is currently very popular. This can be supplemented by additional mechanisms that should take place regularly, cyclically – we can also carry out controlled attacks,” lists the country manager at Stormshield.
The Cyber Secure Local Government programme was established in response to challenges related to data security in territorial self-government units. It will cover over 2,800 units across the country. Its aim is to increase the level of information security of local governments by strengthening resilience and the ability to effectively prevent and respond to incidents in information systems.
“A very important aspect is that the programme places a strong emphasis on training and auditing. Even the most advanced technologies will not necessarily improve data security that are stored and processed at the office. The key element is the human factor. In fact, we have been saying for many years in cyber security that the human factor is the weakest link and we should focus our efforts on raising awareness, skills and knowledge,” evaluates Paweł Śmigielski.
Territorial self-government units are regularly targeted by cybercriminals. The number of attacks on local governments in the years 2020-2022 increased by 100%, and as experts indicate, election year favors criminal activity. The lack of technical solutions (e.g. next-generation firewalls, EDR end-station protection systems), as well as monitoring and incident reporting mechanisms, makes it easy to become a target. Therefore, according to Stormshield experts, such programmes are a step in the right direction. Especially in those places where city or commune leaders always look for easy investments in the benefit of residents, such as infrastructure, and not in local government cyber security.
This is also important in the context of the need to implement Directive NIS2. It imposes a number of obligations on entities, such as operators of critical infrastructure, e.g., water or heating. This includes incident reporting, risk management and the application of technical solutions commensurate to the level of risk. As experts suggest, even 60% of units that will be subject to this directive might not be ready to implement it.
