Massive data leak: Ukrainian IDs, other documents exposed by years of cyber negligence

Shoddy cyber security at Ukrainian vehicle inspections has exposed hundreds of thousands of personal documents for the past four years.

Largely scans of passports, taxpayer identification numbers, driver’s licenses and vehicle registrations, the documents span a broad stretch of Ukrainian geography and demography. Mostly, they identify people who were buying or selling used cars internationally.

Up until April 1, the documents were available, unprotected and unencrypted, on a server of one of the largest cloud storage providers in the world that, though tough to get to for regular users, is easy enough to find for bad actors.

“If it hasn't already been accessed, it's just a matter of time before it is and can be abused to ruin a lot of people,” says cybersecurity and access management specialist Jake Dixon, who spotted the documents. “And I know that there are teams of people in Russian intelligence and Russian cyber commands that are looking for stuff like this.”

The earliest documents date to the start of 2021. Dixon found them and informed Ukrainian authorities back in April 2022, but said it went nowhere. Only now, three years later, once contacted by the Kyiv Independent, authorities appear to have started securing them.

The documents in question currently number 992,978. They all seem to come from vehicle inspection sites, which check and certify used foreign cars sold into Ukraine. Ukrainians buy upwards of 300,000 such vehicles per year, per Interior Ministry data. Documents gathered for those vehicle inspections form the core of the database.

Many of the documents are relatively harmless, like photos of cars and receipts for transactions, or certifications themselves. But the database includes core identifying documents like passports and taxpayer cards (similar to a U.S. Social Security Card) for likely tens, and possibly hundreds of thousands of Ukrainians, as well as foreign entities who sold cars into Ukraine. Unprotected, it was a ripe target for identity theft. There is no way of knowing the extent to which it has been accessed or what data has been taken from it.

As of publication, the most recent batch was uploaded on March 11. The earliest documents date back to the beginning of 2021. On April 1, 2025, what seems to be all of them were taken private.

Cyberwartime measures

The data leak comes as Ukraine has been — in theory — on high alert about cyber security for over three years.

Formerly public data for many Ukrainian services have gone dark since Russia’s full-scale invasion. This is in large part out of concerns that Russian intelligence or hackers will use information from sources like property registries to locate, blackmail and extort Ukrainians.

At the same time, personal data of thousands of Ukrainians have been endangered through what appears to be sloppy security at vehicle inspections centers. The centers are private businesses certified by the Ministry of Development of Communities and Territories that provide inspections of the condition of a car — a government requirement when a car is brought into Ukraine from abroad.

Border security personnel stand guard at the Krakivets-Korczowa car checkpoint on the Ukraine-Poland border, about 70 km from Lviv, on Aug. 16, 2022. (Yuriy Dyachyshyn / AFP / Getty Images)

The cloud storage provider in question is regarded as a highly secure system for data management. However, that is not the case when the data collected is not protected by basic security like a password. For obvious security reasons, the Kyiv Independent is not including links to the cloud server containing the documents in question.

However, it’s relatively easy for individuals with fairly cheap specialty software to navigate it and find the documents. Dixon himself located the bucket using software that scans for sensitive data left vulnerable, software that he says certainly exists in Russia and elsewhere.

Scanning for unsecured personal documents has been “a risk since people started moving to the cloud. It's something that threat actors actively watch,” says Dixon. “I would be surprised if it hasn't been discovered by someone else in the frame of time since I discovered it. And they're still uploading files to this container.”

The way the data in question is arranged makes it more complicated to use en masse, or search through for names of specific people listed. It is, however, easy to go through and find individual identifying information for random individuals.

“I think there was a drive for digitization and this (system) just got pushed because someone needed access to this data quickly, and then some connection got opened, some configuration got changed. It's just been sitting there ever since, collecting,” Dixon described the exposed batch of documents.

Who’s responsible?

Dixon warned Ukrainian cyber authority the Computer Emergency Response Team of Ukraine, or CERT-UA, of the exposure back in 2022, per emails reviewed by the Kyiv Independent. After responding to Dixon asking for more information, CERT-UA went quiet for, apparently, three years.

Anton Kobyliansky, a representative for the State Special Communications Service which oversees CERT-UA, told the Kyiv Independent that the responsibility for both was “cyber incidents,” which did not include this leaked data. Kobyliansky said this data was likely the responsibility of the Ministry of Digital Transformation and declined to comment.

The Ministry of Digital Transformation is the agency that launched Diia, a mobile application that digitizes government services and documents. Announced in 2019, Diia launched in early 2020 with passports and driver’s licenses the first documents to be digitized. Viktoriia Savchenko, a representative for the Ministry of Digital Transformation, similarly denied her agency’s responsibility for the data involved.

The documents come from a number of privately-owned Ukrainian vehicle inspection centers, almost all relating to government-mandated certificates for the import of used vehicles. A number of phone numbers for service centers listed including Center Auto and AutoTechnoServis were dead.

A staffer for Euro-Center, one of the inspection centers that appear most frequently in the leak, did not return a request for comment when reached. The contact number for another servicer, VK-Auto, hung up on the Kyiv Independent, when asked about the data leak.

The government authority licensing the vehicle inspections stations is the Ministry of Development of Communities and Territories, previously called the Ministry of Infrastructure. When reached, Ruslan Kyrychenko, head of the Technical Regulation Department of the Road Transport and Safety Department within the ministry, said: “We note that the vehicle inspection centers do not report to the Ministry of Development.”

Currently, Ukrainian government data is heavily centralized. A hack that came to light in December took the bulk of Ukraine’s federal government registries offline for weeks, stalling services ranging from incorporation to vehicle sales to marriage registration.

Responsibility for that government data is, however, thoroughly dispersed.

The Kyiv Independent contacted the relevant authorities on March 26 — including the above, representatives for Ukraine’s State Security Service and the Ministry of Justice.

All denied ownership of the data. Yet, after repeated follow-up, the data on the server began to go private on April 1, 2025 — just shy of three years after Dixon, an Irish national living in Estonia, first reported the problem to Ukrainian authorities. As of publication, none of the officials contacted would acknowledge involvement in taking the data offline, but someone was clearly responding to inquiries.

“Sloppy,” says fellow cybersecurity specialist and sometimes hacker on behalf of Ukraine Karla Wagner, upon reviewing the open data. “There’s a high probability that someone set this up in a hurry, perhaps even deployed a demo, with data replication turned on by default, and they didn't take the time to secure it.”

It is not complicated to make one of these databases private, or guard it with a password.

“These days, whenever you go into that configuration, it comes up with a big warning saying, ‘do not leave this as public’ because of how many times this has occurred for people,” says Dixon.

“It shouldn’t be open like this, especially in a time of war.”

Note from the author:

Hi, this is Kollen, the author of this article. Thanks for reading. Ukrainians’ responses to Russia’s invasion showcase a society that is deeply resilient and inventive, despite pullbacks in aid. If you like reading stories highlighting those features from on the ground, please consider supporting our work by becoming a member of the Kyiv Independent.