Exposed: Unsecured Data of 194 School Employees in Абай Region Now Publicly Available
Following a recent data breach reported by Vechernyaya Astana, the Borodulikhinsky District Prosecutor's Office has uncovered a significant security lapse at three secondary schools in Kazakhstan. The breach occurred during the announcement of state procurements for medical check-ups of employees, with personal data published in the state procurements including full questionnaire data and Individual Identification Numbers (IIN).
As a result, the school directors were held administratively responsible, subjected to disciplinary penalties, and fined a total of over 1 million tenge. The affected employees, numbering 194, must now have their personal data protected according to current legislation.
To prevent such incidents in the future, several key measures should be considered. Firstly, educational institutions should adopt a Zero Trust Security Model, which operates on the principle of “never trust, always verify” and “default deny.” This approach limits the lateral movement of attackers if one device is compromised.
Secondly, continuous, 24/7 monitoring of networks and data access is crucial for early threat detection and response. Educational institutions should track vulnerabilities and suspicious activities even outside normal business hours to protect sensitive employee information against evolving cyber threats.
Thirdly, strengthening authentication and access controls is essential. Measures such as multi-factor authentication, endpoint protection, micro-segmentation, and AI-driven threat detection can enhance defence against unauthorized access to personal data.
Fourthly, educational institutions should align their data protection policies with evolving national standards and regulations aimed at cybercrime prevention and data security. Kazakhstan is actively enhancing its cybersecurity legal framework to hold institutions liable for online fraud.
Addressing risks related to human factors is also important. Employees should be educated about risks like phishing, fraudulent scams, and social engineering, which are common in Kazakhstan's cyber environment. Awareness and training help reduce accidental data leaks caused by insider error or deception.
Lastly, educational institutions can benefit from participating in or adopting protocols developed through national cybersecurity initiatives and international cooperation programmes, such as those supported by organizations like UNICEF in Kazakhstan. These initiatives emphasize the protection of personal data and vulnerable groups online.
In summary, preventing data breaches in Kazakhstan’s educational institutions requires a combination of modern cybersecurity frameworks (like zero trust), proactive and continuous monitoring, strong authentication, compliance with local regulations, user education, and collaboration with national cybersecurity initiatives. These measures collectively help safeguard employees' personal information from increasingly sophisticated cyber threats.
Cybersecurity technology plays a critical role in safeguarding personal data in Kazakhstan's educational institutions, as evidenced by the need for a Zero Trust Security Model, continuous monitoring, and stronger authentication to protect against cyber threats. Effective implementation of these technologies can help prevent future data breaches.
Adopting and adhering to national cybersecurity regulations is essential for educational institutions in Kazakhstan, given the country's active efforts to enhance its legal framework for cybercrime prevention and data security. This ensures that institutions are held accountable for online fraud and protect the personal data of employees.
