For three years after the problem was discovered, some car owners’ documents were stored in an unsecured storage facility for about four years.
According to Kyiv Independent, 992,978 documents of Ukrainian car owners were stored in the storage of one of the world’s well-known cloud providers. This includes data related to technical inspections, mostly for owners of used cars from abroad, including passports and taxpayer numbers, driver’s licenses and registration documents. Until April 1, the documents were available in unprotected and unencrypted form. Ordinary users did not have access to them, but it was not difficult for attackers.
«If it hasn’t been accessed yet, it was only a matter of time before it was, and it could be abused to kill a lot of people. And I know that there are groups of people in Russian intelligence and Russian cyber commands that look for things like this,» says cybersecurity and access control specialist Jake Dixon, who spotted the documents.
We are talking about data from 2021 and later. Dixon found them in April 2022 and reported them to the Ukrainian authorities, but their status has not changed since then, until yesterday. The documents probably come from technical centers that inspect and certify used foreign cars — vehicle inspection data is the core of the database. It contained photographs, inspection receipts, certificates, and personal data from the documents of tens of thousands, and possibly hundreds of thousands of owners. The database was regularly updated, most recently on March 11, 2025.
The expert claims that with the help of inexpensive special programs, an attacker could relatively easily navigate the database and find documents. The way the data is organized makes it difficult to use or search the list en masse. Dixon himself has successfully experimented with this, and he says that hackers from Russia or other countries definitely have such software.
Dixon alerted Ukraine’s Computer Emergency Response Team (CERT-UA) in 2022, according to emails reviewed by journalists. He was asked to provide additional information, but CERT-UA has been silent for three years. A representative of the State Service for Special Communications, which oversees CERT-UA, told Kyiv Independent that the responsibility for both was for cyber incidents, which did not include data leaks. He noted that the data was likely to have been leaked by Ministry of Digital Transformationand declined to comment further. After investigating the situation, the publication notes that it is difficult to find those responsible for such cases in Ukraine.
