Private Information of Citizens for Sale in Iran

Mona Zamani, Citizen Journalist, Shiraz

A cascade of leaks of private information about Iranian citizens that has become widespread in recent days has puzzled people across Iran. Following the data leaks from the Ali Baba Travel Agency, the National Registration Organization, the Sib online app store, and Saderat Bank, large volumes of personal information belonging to Iranian citizens has now been published online. 

Information on 600,000 user accounts of the National Railway Transportation Company (RAJA), 2,300 administrative letters and documents related to Homa Airlines, 5,000 letters and documents related to Mahan Airlines, information on 700,000 user accounts of Mobinnet Company, 400,000 users of Iran’s Telecommunication Company, 90,000 members of the Afarinesh Language Training Institute, 950,000 users of the Iranian Research Institute for Information Science and Technology (IranDoc), and the total database from the Student Affairs Organization of the Ministry of Science about students' studying abroad, are only part of the information leaked. The data roves are now being bought and sold on the Internet.

Many people initially assumed that some of the leaked information may be fake. But according to documents released by hackers who illegally accessed these databases, the security standards for these organization was so low that there was no need for complex operations to obtain the data. The hackers said anyone with basic search skills could have accessed the information.

The fact that hackers used the simplest methods to break into these sites shows that these organizations and companies did not value their users or their privacy.

But some institutions have insisted on saying that the leaks were fake. One such body, the Iranian Research Institute for Information Science and Technology, or IranDoc, said in a statement that had been no sign of forced access to their systems or the removal of data. And yet the data offered for sale by the hackers proves otherwise.

But Abolghasem Sadeghi, the deputy head of security of the Iranian IT Organization (Maher), confirmed the hacks as genuine and said that Maher was investigating the matter. Sadeghi said that the negligence of the organizations was at fault and that this was evident because the hackers did not use advanced methods in their work.

Sadeghi added that more regulations were needed to protect users’ privacy online if institutions like Maher were to be effective. 

"The privacy bill, which has been in place for some time, is pending approval by the government's specialized commission," Sadeghi said. "For this reason, the only thing we can do is to announce anonymized information to the public about general security flaws, in order to raise awareness in society. On the other hand, we provide targeted information to [law enforcement] agencies.” But it was not clear what Sadeghi meant by “anonymized” information.

The information leaks had first occurred in March 2020 – when Maher issued a statement urging the government and relevant agencies and business owners to address the weaknesses of their databases.

"If security vulnerabilities are not monitored and resolved within 48 hours, these agencies will be reported to the judiciary," Maher warned at the time. But this does not seem to have happened.

Debate continues on which institutions should be held responsible for the incident. Discussions between Afta Strategic Management, affiliated with the President Hassan Rouhani’s, and Maher, a subsidiary of the Ministry of Communications and Information Technology Organization, have not yet reached a conclusion. And there is no word of an intervention by the judiciary.

Iranian law regarding the theft of personal data is limited to Article 1 of the Computer Crimes Law, which refers the punishment for information theft or unauthorized access to Clause 729 of the Islamic Penal Code. In this clause, a person who attempts unauthorized access to the information of any agency shall be punished with imprisonment from 90 days to one year or be fined 500,000 to 2,000,000 tomans, or US$33 to US$133.

Iran still has no law to define the responsibility of different agencies and organizations in protecting the personal information of citizens and Internet users and to be held accountable in the event of a breach.

In 2017, the Ministry of Communications began drafting a bill to protect personal data. In August 2018, it was announced that the bill has not yet been approved by the Cabinet and has not been submitted to parliament for approval.

The resulting muddle means that institutions, organizations, and companies responsible for personal information do not pay attention to the security or privacy of their users and customers, because the law does not adequately protect against the disclosure of citizens' data.

Personal data leaks can do great harm to users; for example, making it possible for others to access contact numbers, national identity codes, or addresses, which can expose individuals to nuisance advertising or to scams that can leave irreparable damage.

But the Islamic Republic of Iran does not value the lives of its people and its citizens, it cannot be hoped that it will take steps to prevent the disclosure of information or the punishment of negligent officials, whose action has led to the disclosure of people's personal data.