Prime Minister Edi Rama held a press conference on the leak and circulation via “Whatsapp” of a database containing information of salaries of the citizens in the Republic of Albania: 

 

Prime Minister Edi Rama: Good afternoon everyone! I would have wished to talk about a very important decision we have made regarding a fresh government initiative to take the interaction with the citizens to a whole new level, but given the most recent event amid circulation through the communication channel “Whatsapp” of the data on the citizens’ salaries, I am sure that the initiative would not attract your attention, while, rightly enough, the public opinion wants to know my and the government position regarding this sensitive issue.

Therefore, it is most likely that the communication about the initiative will take place tomorrow, while we have invited you today to talk about the circulation of data on salaries of the citizens of the Republic of Albania.

First of all, I would like to apologize to all those who are rightly concerned about this intrusion into their private life and in the meantime, I would emphasize that this event deserves a thorough investigation.

I very much hope and I call on the law enforcement bodies, the Prosecutor’s office to conduct this investigation by mobilizing all their capacities and, on the other hand, I would like to share my view with the public that it is not difficult for one to figure out that the goal behind this action is to cause confusion and trigger instability, in an attempt made not for the first time and, taking notice of the statements issued assemblies and anti-assemblies, they may not be the last.

Therefore, my appeal to the Prosecutor’s office is to investigate into this incident, demanding that everyone, without exception, the tax administration inspectors with an access to the database on the citizens’ salaries, all those currently working in this system or other individuals who might have been removed from this system during the period of the leaked data, as well as look into the individuals who warn of more obscure intentions.

Second, I would like to clarify that this is about an intrusion, whose origin must be definitely investigated to the end, but the preliminary probe shows it looks much more like an internal intervention rather than an external one in the form of a cyber attack, which can also happen. We are neither the first nor the last to face such attacks.

If you are to refer to the last period of time only, the period between 2019-2020-2021, such events have taken place in many countries with very high cyber defence capacities, from the USA, to Russia, from Great Britain to Canada, and so on and this is a new challenge nowadays.

On the other hand, I would like to point out a fact, which is very important, because the citizens rightly want to know how safe are their digital interactions with our system, with the tax system in this case, I want to clarify that this is a software and a digital system built more than eight years ago through a soft loan provided by a European Union member state and building the system involved joint technical resources from that country and Albania and who are the system administrators since then.

Why am I saying this?!

I am not saying this to cast a shadow of doubt on them, but to tell everyone that this system, as well as any other system, belongs to a legacy, which is being worked on continuously, in a process of full integration of the defence system, which is not something easy to deal with.

This is the reason why I appeared at this press conference with the Director of the National Agency for Information Society (NAIS), as she possesses all the technical know-how to explain to the public opinion, through your questions, the NAIS database system’s full integrity, as a system that hosts millions of interactions and a system that increasingly provides more guarantees to the integrity of the data.

These two aspects, namely the aspect of the work and the whole NAIS interaction with the aspect related to this incident and the tax system, are in no way technically related to each other. This is to assure all citizens of absolute data integrity.

Having said that, as I already noted by citing the example of other countries, we are exposed, as everyone else is, to cyber attacks, and NAIS, an institution operating on three main pillars; programming and systems maintenance, scientific research in view of programming, as well as cyber defence, which is part of the NAIS task, regularly faces cyber attacks, on a weekly basis if not daily, which are not made public, but are all in the NAIS protocols.

To further strengthen our defence system, based on the October agreement with the US government to include the system in one of most excellent and most advanced cyber defence systems, namely General Jones, the company named after its founded, General Jones, who has been serving at NATO Supreme Allied Commander, and who is currently involved in the process of providing cyber defence for the Transmission System Operator (OST) and the Power Corporation (KESH).

Since their involvement until today, we are happy with the outstanding performance and resilience of the digital systems of these two public utilities highly exposed to cyber attacks.

Having said all this, as I already stated, the preliminary probe shows that the eventuality of a cyber attack is minimal, if not zero, because we can never absolutely rule out it, and the eventuality of an internal intrusion into the system, most likely through undercover individuals. So, while work to reinforce the protective fire walls of these systems continues systematically, in this case it is extremely important that an in-depth investigation is conducted, an investigation by best experts in this area, because it is not ordinary investigation and all inspectors who have access to the system should be questioned and investigated because this is an open system, a working system and cannot be imagined otherwise but an open working system for those accessing it.

Since the system is built in such a way that it leaves traces of any interference and since no traces have been found in the system, then it is most likely that the system has been exploited criminally through infiltrated individuals, through mechanical actions, which means that we are dealing with the human factor in this case.

Given that – as I already said – the system is a relatively old one, this exposure is higher.

Meanwhile, NAIS, and I am giving the floor to NAIS Director, today has entered a new phase, marking the use of Blockchain, a much more advanced technology which makes totally impossible any manual or mechanical action on the system, since not only every digital operation leaves its traces, but every access or registration by any individual is also registered. Every digital mouse movement is recorded and any kind of data retrieval is impossible. It is impossible for one to retrieve data by using an USB and other pieces of devices.

I won’t comment further as my technical knowledge ends here, and I have developed such knowledge mechanically and through the information I have been provided with, and therefore I am giving the floor to NAIS Director, and then each of you to make the questions that the public is interested to hear.

 

Director of National Agency of Information Society Mirlinda Karçanaj: It is crucially important for me to tell citizens and businesses that the e-Albania platform is a secure and safe system and no data leak has taken place in any of the information systems. They can keep safely making use of the 1212 public services provided and delivered via the e-Albania platform and be sure that when they access services, their personal data already recorded on the respective registers are used only. Nothing else is used. The reason why the government interaction platform has been built is precisely to ensure safe interaction with these registers.

The government interaction platform provides for no direct interactions or exportations, but instead the systems are designed to carry out real-time communication with each other automatically, without having people behind the screens.

The total of 17 million transactions carried out via this platform each month, in addition to cutting all the paperwork and additional documents that citizens and businesses need to obtain, are performed safely with clear loggings recorded. The platform is maintained by Microsoft, which, as you know, is a strategic partner of the Albanian government, ensuring complete security of information recorded there.

Meanwhile, as the Prime Minister noted, blockchain technology is our key word in the near future, given that it is the safest technology in the world, since the data on a blockchain is unable to be modified and are therefore immutable, allowing no access to the stored data. We will use this technology to store data on the system of properties. Work is already underway to make sure that properties of Albanian citizens are no longer modifiable by anyone, including the State Cadastre employees and officials themselves, as well as the potential cyber attacks. But this digital exposure – I remind you of the fact that we have transited from just 14 to a total of 1212 online public services, from six registers to 55, while work to digitize 30 more registers is underway – is definitely associated and marred by all sorts of problems. The first problem is the access of those who have to use the system with indefinite roles, with ambiguity, with the need for change and improvement of all systems.

Fortunately, we will establish a strategic partnership with Jones group international under the agreement with the US agreement signed in October. Jones group international is the leading American company, successfully already operating with OST and KESH. I have seen the initial output presentation and most importantly the presence of this company will help us not only with the taxation system certification, but also with the ISO certification of all other state systems. ISO certification also includes a clear definition of the physical access to information by all those who should use it for work purposes, clearly separating their roles.

I would also like to underline that the NAIS government database is certified with ISO 27 001 information security and ISO 9001 for information management.

We don’t award ISO certificates to ourselves, but they are awarded by certified companies, which conduct regular audits every year, to check whether policies in question are properly applied. The tax system has yet to be ISO certified, and we are in the process of certifying this system, based on the OECD recommendations.

* * *

-You talked about the system’s integrity and somehow you ruled out the possibility that the system could have been hacked, but does the fact that a man hired to preserve the data of Albanian citizens leaked it to the public make this scandal worse?

You also talked about the latest investment project to introduce blockchain technology that does not allow anyone to get their hands on it, because it can leave traces, but a person can do it very easily by taking pictures on the screen where the data is shown. In other words, I mean if the data are leaked by a person, who is definitely a criminal as he or she has committed a criminal offence, revealing the data of all citizens to the public. How can this be prevented? I am asking that a similar person leaked personal data of the voters to the public ahead of the general elections. Thank you!

PM Edi Rama: I would repeat a very important element! We should clearly dissociate the government interaction and public services platform, namely the e-Albania platform, with the tax administration system, which is an internal system, built and programmed more than eight years ago and the two are not correlated with one another. This primarily means that citizens should clearly know that any interaction with e-albania, millions of them each month, are part of a completely different system with international security certificates, whereas the tax system is an old one, which we or more precisely the NAIS, the agency tasked with constantly improving all systems and creating conditions for the integrity, has made continuous efforts and has delivered constant improvements together with the managing companies.

Speaking of individuals, let me cite some cases. The United States, you revealed all the secrets to the entire world. And it was individuals who did it! The famous case featured the character that collected everything he had been tasked with defending and went on to expose all the data to the adversaries of the United States, and he was granted political asylum from them.

The incident in Canada in 2020, when 360,000 teachers became victims of someone, who had used fake credentials to obtain the identity of all individuals working as teachers, and bear in mind the fact that the system in question, it was not just about stealing names or ID cards, but unlike here, where the ID card, as I said when this problem surfaced for first time, contains nothing, whereas the ID card in Canadian system contains full personal data.

The private biometric company supplying London’s Metropolitan Police in the United Kingdom was hacked and it was unable to prevent the leak of more than 1 million of fingerprints.

France experienced a cyber attack in September, a very aggressive cyber attack that stole all the personal data of individuals entering France or migrating to the country. And it is about endless very sensitive data.

In other words, this is a challenge facing every country, since we have embarked on this realm. What every country does and what we, too, are doing and will keep doing is enhancing the number of firewalls, the system’s protective walls to narrow as much as possible the window of possible access to the system by an individual, so that a single individual is unable to look at the whole system. Concretely, for the tax inspectors this is the payrolls register, which is an internal system having nothing to do with the citizens. The system has simply to do with the salaries declaration and such a system is a must for the tax inspectors, because it is impossible to go back to the use of pens and pencils and the copybook, and accessing that system is certainly highly sensitive. Employing an ally on this path, namely the Jones Group International, will help us a lot since it is the company that built protection of the Pentagon’s system, exactly after its system was penetrated and broken. The Pentagon’s system, the US military secrets were broken by internal individuals and not by cyber attacks. Hiring that company will strengthen our resilient capacities, but I would like to highlight something else too. This case resembles a lot the case you cited in your question, namely with the leak of the numbers of ID cards. It resembles the release technology, it resembles the propaganda associated with the leakage, but I am not here to play politics. I think that when facing such situations and when we have to deal with very reasonable suspicions over alleged individuals committing such crimes, we need to stay and act all together. We can’t afford to blame each other and accuse each other of making use of criminal elements. In this case, someone has illegally opened a door to the virtual and this has been done by a single individual and we can’t take advantage of such cases to immediately level accusations against other people. I would also like to tell you something. I took the first incident lightly, thinking that the ID cards are totally irrelevant in terms of impact on the citizens’ lives, thinking they simply like current license plates. However, as soon as these data are complete, everything changes.

If someone steals my ID card number, that’s not a big deal, as they can do nothing at all with my ID number, because for one to access the government portal e-Albania, the ID card number is not sufficient. You should also know the personal code or password to access the platform and therefore you can conduct no interaction whatsoever in the name of someone else. Even if someone happens to find or steal my ID card, if I am not an e-Albania platform user, nobody can access my platform personal account and apply for public services, because specific codes are required, and, in addition to that, the e-signing is also required. In other words, for one to access the platform, he or she should know all these other elements and that’s why I took it lightly. I have stated that Socialist Party doesn’t need the number of ID cards of the citizens. And it doesn’t need them. It is as simple as that. And there is yet another element. The leaked database back then resembles a lot the recently-leaked database. It is equal in terms of lack of integrity and it is not an integral, fully exported database, but a database processed in pieces, many of them, and it doesn’t include the salaries of every citizen of the Republic of Albania. It lacks the salaries of around 60 000 other people. Is this the most opportunistic moment for the individual or a group of individuals to commit this crime, or is there something else hiding behind this crime? This is something we don’t know yet. This will be revealed by the investigation, but the leaked database contains a lot of old data. What does this mean? It means they are not recent data, but data of January, February and March and as such they are old data. So, the potential of database exportation is an option and retrieving latest data and their processing on that database is totally a reasonable option. All these elements indicate that the database has been retrieved earlier. The system is the one that became a public cause and a huge public scandal in 2013 and an investigation was launched by the prosecutors, leading to the arrest of certain individuals, suspected of deleting the outstanding VAT payments and defaults. The outstanding payments of a number of companies were deleted when the power change was to take place. Measures were taken in collaboration with the company to prevent this from happening and it is no longer possible for anyone to access the system now. The system was totally vulnerable previously and could be manipulated by the man’s hand.

This is no longer the case today, since any intrusion or operation leaves its traces, but what you said is actually unavoidable. Everyone has come across incidents with workers within a big bank, a secret service agency and even inside a nuclear station taking pictures of these facilities. These are elements that should be revealed by the investigation, but this time it is not something to be taken lightly. This time is really disturbing, as it contains data on the monthly salaries of individuals, like teachers and doctors, whose salaries are actually known publicly, but when it is about the internal relations within a private company, this is a big deal and this is disturbing and that’s why I again would apologize to all people who have been affected. This is serious and this is the reason why the investigation this time will at least convey a message to all of those who are granted access to these systems that they won’t get away with it. Whether the perpetrator will be discovered or not this is something that will be tackled by the investigation. I think that every inspector, more than 100 of them, who have access to the payrolls system because of their duty and every inspector who has had access to this system since January should be questioned. All the individuals, without exception, who throw threats at political party gatherings or assemblies, as well as those who jump to conclusions at TV studios and talk shows, should be questioned and become subject to the investigation.

They should all be questioned about the information they possess, the source they have retrieved their information. I avail myself of this opportunity to sincerely appreciate all the media and TV channels for rightly commenting on this issue as it deserves to be commented on, but have refrained from releasing sensitive data. I would also like to thank all those who haven’t committed such a crime by reporting and revealing such data on their web portals. Those who have evaded exposure of the data on the media and have instead used “Whatsapp” instead may have taken this into consideration and this is an interesting fact. They didn’t do so in the previous data leak, but they did this time. I am not alleging that they are the same individuals, but the two incidents bear resemblance and contain many very similar elements, and it includes another element too, as I think you have earlier reported that such a database has been already circulated via “Tik-Tok” several months ago, yet nobody took advantage of it as their doing now. Why is it happening now? Why is it being used now and why spokespersons of the grata and non-grata individuals warn of more data to be released? Where from? How? This is clearly a hand seeking to cause confusion and instability in terms of public security and I would like to reiterate that there is no other option but to go on with the digital revolution. This could have also been spurred by the fact that for weeks now we have launched a public awareness raising tour to inform citizens on the fact that the public service windows will be shut down soon and every service will be delivered online only and we are determined to do so in order to totally eliminate long queues. We are determined to put an end to the distress, to put an end to the tricks that public administration officials and employees play on citizens, put an end to bribery and corrupt actions and we won’t be deterred by those who throw stones and hide their hands. I don’t want to speculate, and I don’t want to say more than what I think, because I don’t want to do the same thing like those who immediately take advantage of such criminal offenses, identify the relevant criminal and promptly associate the action and the individual with the government. I am not associating nothing and nobody with anybody, but I am just saying this is a meaningful and significant case, showing how far certain individuals and forces can go in acting against the citizens just for their narrow interest and purposes. Such individuals are certainly within our ranks too, and therefore we will do utmost efforts to strengthen the entire capacity to build firewalls as we are really exposed. The Director can provide more detailed information on how many cyber attacks are launched against Albania, as it is the case of cyber attacks against any country all over the world. I met with the Israeli Ambassador a few days ago. Israel hospitals experience cyber attacks twice a day and the country’s systems are so advanced and capable of preventing such attacks, but we are not Israel, a world superpower in this respect.