An outdated password led to the leak of state secrets in Poland

Journalists of the Polish media outlet OKO. press discovered that a password that has long been publicly available on the Internet can be used to access a confidential government database. It contains detailed maps of the military port of Gdynia, a flood evacuation plan for Warsaw, and other classified information.

Three years ago, an employee of the Polish branch of ESRI, an American company that develops ArcGIS mapping software, sent a link to a presentation analyzing one of the crisis scenarios in Warsaw by email. In it, he provided a login and password to access the presentation.

OKO.press journalists also found out that the password, which was sent back in 2020, remained valid until May 5 this year. This means that the owners of the Polish government profile in ArcGIS did not even know that their credentials had been in the public domain for three years, and the secret information contained in the system could have been exploited by intruders more than once.

In Poland, it was reported that a massive hacker attack took place — along with the password to the ArcGIS cloud account, cybercriminals stole «thousands of emails.» However, it is still unknown which group or country is behind it.

According to OKO. press, the email also contained a lot of other classified data, including lists of Polish border guards, regular troops, police, military intelligence, and special forces. It also contained detailed data on the coronavirus pandemic in Poland, with information on mortality, morbidity, and the number of recovered people on specific days, broken down by province.

This is not the first time the Polish government has violated security procedures. In March 2022, it became known that the day after Russia’s full-scale military invasion of Ukraine, Polish Prime Minister Mateusz Morawiecki sent official correspondence on military assistance requested by Ukraine in Poland to Daniel Obaytek, CEO of PKN Orlen, via private email. It was about the supply of fuel for the Ukrainian military. The Prime Minister forwarded this letter without the knowledge of cybersecurity experts.

At that time, Poland had a third level of cyber threat called CHARLIE-CRP. It is declared only when there is a real possibility of terrorist attacks.