ASTANA – A database containing personal information of nearly 16 million Kazakh citizens was leaked in June, sparking fresh concerns about data security. As an official investigation is underway, The Astana Times digs deeper into what this incident reveals about the country’s digital infrastructure and why digital hygiene matters now more than ever.
Photo illustration created by Fatima Kemelova/ The Astana Times
Digitalization is progressing rapidly in Kazakhstan, with ambitious goals to expand online public services, enhance electronic government and integrate artificial intelligence. But with the growing digitization comes high risks.
What happened?
According to a statement provided to The Astana Times by the Information Security Committee of the Kazakh Ministry of Digital Development, Innovations, and Aerospace Industry, a joint unscheduled inspection of information systems was conducted by the ministry, the National Security Committee, and the State Technical Service, a government body tasked with creating a secure digital space across the nation’s digital infrastructure.
“The inspections confirmed that there were no breaches of government information systems. It was established that the database circulated on the internet contained outdated information, current as of 2022. The data originated from previous leaks and was partially supplemented by users with access to the systems as part of their official duties,” the committee said.
It also noted that all materials have been handed over to law enforcement agencies for the initiation of criminal proceedings.
Personal data is always of interest to cybercriminals
Any system that processes personal data will “always be of interest to cybercriminals,” said Bekarys Kabi, a project manager at TSARKA, Central Asia’s leading cybersecurity service provider.
“We cannot comment on technical details, as an official investigation is underway and it is important not to interfere with the process. At this stage, we believe the published database is a compilation of previously stolen and fragmented data, merged into a single file and falsely presented as a supposedly new leak. Similar cases frequently occur on the dark web for the purpose of selling various databases,” Kabi said in a comment for this story.
What does the incident reveal?
The incident, however, reaffirms the need for real-time monitoring and auditing of database access, revision and regulation of rules for sharing personal information between organizations, promotion of a culture of information security among all stakeholders and tightening of the legislation and regulatory requirements related to the storage, processing and protection of personal data.
“From a prevention standpoint, several key measures play a critical role – regular independent penetration tests that help identify vulnerabilities before malicious actors can exploit them, connecting organizations to sectoral cybersecurity centers, which facilitate the exchange of information on threats, incidents, and protection guidelines, and participation in bug bounty programs, where ethical hackers help uncover flaws in a secure and controlled environment before they lead to data breaches,” Kabi explained.
He suggests a well-rounded approach that emphasizes proactive defense, transparency, and joint efforts among the government, private sector, and cybersecurity experts as a crucial way to minimize future risks.
Not the first one
The recent leak, while large in scale, is not the first one in Kazakhstan. 2024 saw several high-profile data breaches, including the mass leak of Kazakh citizens’ personal data on the Chinese platform GitHub, the exposure of data from two million clients of the zaimer.kz microfinance organization, and the unauthorized disclosure of students’ medical records at a university in Almaty.
These incidents raise questions about why personal data continues to circulate online and who is responsible for its collection, storage, and mishandling.
Current legislation
The collection, processing and protection of personal data in Kazakhstan is governed by the law on personal data and its protection. The ministry is the authorized body responsible for personal data protection and considers appeals from individuals and legal entities on matters related to personal data and its safeguarding.
The committee said the ministry’s mandate also entails taking measures to hold parties accountable for violating Kazakhstan’s personal data protection laws and conducting unscheduled inspections in this area. The law and related bylaws establish requirements for safeguarding personal data through a combination of legal, organizational, and technical measures.
“Violations of personal data protection legislation are subject to administrative liability under Article 79 and subparagraph 1, paragraph 1 of Article 641 of the Code of Administrative Offenses of Kazakhstan, as well as criminal liability under Article 147 of the Criminal Code of Kazakhstan,” said the committee.
Recent amendments
In December 2023, Kazakhstan adopted a new law on amendments and additions to certain legislative acts of Kazakhstan on information security, informatization, and digital assets. The legislation aims to strengthen the protection of personal data and introduce new mechanisms for ensuring the cybersecurity of informatization systems.
Key provisions of the law included granting the ministry the authority to conduct state oversight over compliance with personal data protection legislation; prohibiting the collection and processing of identity document copies containing personal data, except in cases where there is no integration with government information systems, technical identification is not possible, or otherwise provided by law, introducing mandatory notification of citizens in the event of personal data leaks, and allowing citizens to voluntarily opt out of receiving bank loans via an electronic government application.
One of the key reforms was also the legalization of so-called white hat hackers, who can now officially participate in the country’s bug bounty program. Widely adopted in the private sector around the world, the platform allows cybersecurity researchers to identify and report vulnerabilities in e-government systems, and in Kazakhstan’s case, on a voluntary, unpaid basis.
“The platform enables white hat hackers to detect vulnerabilities and report them in exchange for compensation. However, when it comes to our e-government systems, the vulnerabilities are reported free of charge,” said Ruslan Abdikalikov, chairman of the information security committee, at a press briefing in August 2024 in Astana. “I’d like to express my gratitude to the researchers who do this important work without asking for any reward from the government.”
Fines are becoming more stringent
In another legal step, in January this year, President Kassym-Jomart Tokayev signed the law that makes amendments and additions to the Code of Administrative Offenses of Kazakhstan. Under the amendments, penalties for violations of the country’s personal data protection legislation are increased.
Under the revised law, administrative fines will range from 30 monthly calculation indexes (MCI) to 2,000 MCI, which is roughly between 117,960 tenge (US$217) and 7.9 million tenge (US$14,553). The amendments took effect on March 13.
“The changes also extend the statute of limitations for bringing individuals and legal entities to administrative responsibility for offenses related to the protection of personal data and electronic digital signatures from two months to one year from the date the offense was committed,” said the committee.
“New types of administrative offenses have been introduced under Article 640 of the Code of Administrative Offenses of Kazakhstan, establishing liability for the use of another person’s electronic digital signature private key. Once the amendments took effect, both the person who shared their electronic digital signature and the person who used it would be held accountable,” said the committee.
Legislation continues to be improved
The ministry said it is working consistently to improve the legislation on personal data protection.
Currently, amendments to laws on personal data protection and informatization are under review by the Mazhilis, a lower chamber of the Kazakh Parliament. These amendments aim to enhance the legal framework and establish new mechanisms for ensuring information security at state-owned informatization facilities.
Risks
While the latest data leak is reportedly dated back to 2022, some experts caution that the data, including names, addresses, individual identification numbers, and phone numbers, can still be used for phishing, identity theft, or scams. Risks are also increasingly growing in the absence of strong digital hygiene.
According to official figures from the ministry, in 2024, public awareness of cybersecurity issues in Kazakhstan reached 80.4%.
“Every citizen [of Kazakhstan] can check whether their personal data may have been exposed by using the specialized NomadGuard service available on the electronic government portal,” the committee said.
It also advised learning about cyber hygiene by taking a free online training course offered on the CitizenSec platform, a social project aimed at helping people better understand how to stay safe in the digital world and support cybersecurity professionals.
“The ministry continues to strengthen personal data protection measures and remains open to suggestions from citizens and organizations. If you have concrete proposals to improve data protection practices, you are encouraged to submit them to the ministry via the eOtinish platform,” said the committee.
Strong digital hygiene is key
When asked what a person can do to protect their personal data, Bekarys Kabi offers several straightforward yet essential points.
“While users often can’t directly control how organizations handle their data, they can take basic steps to minimize the impact of potential breaches. Use strong passwords and enable two-factor authentication wherever possible; regularly monitor activity in banking apps, government services, and, if needed, through credit bureaus, be cautious when sharing your personal identification number, phone number, or other personal data, especially in online forms and messaging apps,” he explains.
Other tips include avoiding clicking on suspicious links or installing unknown apps, as many attacks start with social engineering. It is also essential to stay informed about potential data leaks and, if one is confirmed, change your passwords and contact support services if necessary.
“It’s important to recognize that cyber resilience is a shared responsibility: the government must strengthen infrastructure security, businesses must handle data responsibly, and users must practice good digital hygiene,” Kabi said.
Global perspective
According to the State Technical Service, Kazakhstan was not the only country affected by digital threats. In 2024, the world experienced several significant incidents that highlighted the global scope of cyber threats. It includes hacking of a cryptocurrency exchange in the United States, when hackers stole over $1 billion due to a vulnerability in the exchange’s system.
Another notable case is the data leak of India’s largest bank, where the data of millions of customers was published on the darknet, resulting in a wave of financial fraud.
“These cases showed that attacks are becoming increasingly sophisticated and large-scale. Even the most technologically advanced companies are unprepared for today’s threats,” writes the state technical service.
“Cybersecurity is no longer just a technical challenge – it is a strategic necessity that determines the resilience of organizations in the digital world. In 2025, the number of cyberattacks and the development of AI technologies are expected to increase, which will require companies not only to implement advanced solutions, but also to train personnel capable of responding quickly to threats,” it said.
