24.06.2025 09:13:00
Дата публикации
One of the largest personal data breaches in Kazakhstan’s history hit the web in June 2025, leaking sensitive IIN records for roughly 16 million residents. Legal expert Elzhan Kabyshev of the Eurasian Digital Foundation (EDF) outlined risks and immediate protections for anyone affected.
Analysis shows the archive contains data not only on Kazakhstanis but also on citizens from at least five top-ranked countries: Russia, China, Uzbekistan, Kyrgyzstan—and even Tajikistan—totaling entries from 167 nations. Technical consultant Mirat N. of IT-Баурсақи found 15,851,703 unique IINs in the trove.
The compromised fields include full names, birthdates, IINs, phone numbers and residency dates—information covered by Kazakhstan’s Personal Data Protection Act. Fraudsters can exploit this for bank scams, synthetic identity attacks and social engineering.
Mirat warns: “Crooks could map out entire families, blend real and fake identities, then carry out phishing, credit fraud or targeted marketing.” He urges everyone to resist unsolicited calls or texts from “bank” or “operator” numbers.
To shield yourself, Kabyshev recommends blocking credit applications via eGov.kz, enabling 2FA on every online account, ignoring unknown SMS/links, tightening social-media privacy and cutting public exposure of personal info.
The archive may have been sold, then dumped for attention once its black-market value fell. But its informational power remains high—especially since it even includes newborns from 2024. Re-leaks could perpetuate the threat endlessly.
Under Kazakhstan’s Criminal Code, illegally collecting or sharing personal data can carry up to seven years in prison under aggravated circumstances. But Kabyshev notes real prosecutions hinge on digital forensics and cross-border cooperation.
He calls for institutional reform: an independent data protection regulator must be carved out from the Ministry of Digital Development, and granted real audit and sanction powers over all state bodies handling personal data.
Without this overhaul, Kabyshev warns, investigations will remain limited and future mass breaches almost inevitable. “We need structural change to turn data privacy from aspiration into reality,” he concludes.
For anyone who finds their IIN in the leaked archive, immediate action is critical: secure your accounts, lock down credit, and monitor for suspicious activity. Preventive steps now can save you from months or years of fraud.
The compromised fields include full names, birthdates, IINs, phone numbers and residency dates—information covered by Kazakhstan’s Personal Data Protection Act. Fraudsters can exploit this for bank scams, synthetic identity attacks and social engineering.
Mirat warns: “Crooks could map out entire families, blend real and fake identities, then carry out phishing, credit fraud or targeted marketing.” He urges everyone to resist unsolicited calls or texts from “bank” or “operator” numbers.
EDF’s Kabyshev stresses that an IIN never changes—it’s a lifetime key to your identity. Paired with a phone number, it unlocks deeper data through marketing and banking services, leaving all Kazakh-born 1950–2024 at risk.
The archive may have been sold, then dumped for attention once its black-market value fell. But its informational power remains high—especially since it even includes newborns from 2024. Re-leaks could perpetuate the threat endlessly.
Under Kazakhstan’s Criminal Code, illegally collecting or sharing personal data can carry up to seven years in prison under aggravated circumstances. But Kabyshev notes real prosecutions hinge on digital forensics and cross-border cooperation.
He calls for institutional reform: an independent data protection regulator must be carved out from the Ministry of Digital Development, and granted real audit and sanction powers over all state bodies handling personal data.
Without this overhaul, Kabyshev warns, investigations will remain limited and future mass breaches almost inevitable. “We need structural change to turn data privacy from aspiration into reality,” he concludes.
For anyone who finds their IIN in the leaked archive, immediate action is critical: secure your accounts, lock down credit, and monitor for suspicious activity. Preventive steps now can save you from months or years of fraud.
Stay informed, stay protected—because in today’s digital Kazakhstan, data security is everyone’s responsibility.
