RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2025/11/17 09:00:00

Processing of personal data in Kazakhstan

Content

2025

Kazakhstan Deputy Head of the Ministry of Digital Development: Data leak of 16 million residents of the country occurred without hacking IT systems

On October 21, 2025, Deputy Minister of Artificial Intelligence and Digital Development of Kazakhstan Doszhan Musaliev at a briefing announced the interim results of the investigation into the leakage of citizens' data. According to the Information Security Committee, we are talking about the theft of personal information of 16 million Kazakhstanis.

According to the Kazinform agency, in June 2025 it became known about the initiation of a criminal case in connection with the leakage of personal data of 16 million citizens of Kazakhstan. At the same time, it was reported about the transfer of materials to the Ministry of Internal Affairs. Musaliev said that the check revealed signs of possible causes of the incident. The version of compromising legal accounts is being considered. The Vice Minister stressed: the system was not hacked.

In
Kazakhstan, data from 16 million people leaked without hacking

One of the main hypotheses suggests that the information was stolen by a person who had official access to the database. The information could have been copied using legitimate credentials that were either shared with third parties or stolen.

All materials in this case have been transferred to the competent state authorities for further investigation. Doszhan Musaliev noted that due to the observance of the secrecy of the investigation, the details of the investigation were not disclosed.

According to the Kazinform agency, Prime Minister Olzhas Bektenov stressed the need for operational measures in the field of information security, in particular, at the legislative level: "We will respond, including by legislative factors. I think it is unequivocal that in the field of organs, when they reach the courts, they will find a responsible person who nevertheless made a leak. " Previously, improper storage of information in medical institutions of the country was called as a possible reason for the leak.[1]

Data leak of 16 million Kazakhstanis

More than 16 million records with personal data of citizens of Kazakhstan were in the public domain. This was announced in mid-June 2025 by specialists from the profile Telegram channel SecuriXy.kz.

The published database contains individual identification numbers, residential addresses, contact numbers and other confidential information.

There was a data leak of 16 million Kazakhstanis. In the merged database addresses and phone numbers

The archive is 799 MB in packaged form, and after unpacking - 7.03 GB. The packaging date of the archive is June 13, 2024. The number of rows in the table reaches 16,302,107, while there are 15,851,699 unique IINs and 16,901,555 unique phones.

The CSV file contains the name of citizens, gender, date of birth, IIN, contact numbers (mobile, home, work), address of residence, citizenship and indication of the organization. In the column "address," the addresses of dentists, universities, clinics and government agencies are often found.

According to the publication, the peak of the relevance of the data falls on 2022, while the archive also has records for 2023 and 2024, which confirms the freshness of the leak. Experts believe that the information could have been obtained through various leakage channels.

According to experts, the leak could have occurred due to access to semi-open APIs of state or quasi-state services. Possible reasons are also hacks of poorly protected online services that return personal data by ID, or erroneous uploads from integration platforms.

The leak creates a high risk of abuse for affected citizens. Fraudsters can use the information received for phishing and telephone fraud, forging documents, gaining access to personal accounts on eGov and in banks.

Earlier in 2022, 11 million Kazakhstanis were leaked from the Central Election Commission database. The criminal case on the fact of this leak was closed due to the lack of corpus delicti, which caused criticism from cybersecurity experts.

In March 2024, the state technical service discovered a leak of more than 2 million personal data of clients of a microfinance organization zaimer.kz.[2]

2024:140 sellers of personal data detained in Kazakhstan, five of them arrested

In June 2025, employees of the Ministry of Internal Affairs of Kazakhstan, together with the National Security Committee, detained a group engaged in the illegal sale of personal data. The operation identified 140 suspects, five of whom were arrested.

According to the Ministry of Internal Affairs of the republic, the criminal group carried out the illegal sale of personal information of Kazakhstanis in the Internet space. Among the detainees are the owners of the company and administrators of Telegram channels through which confidential information was distributed.

In
Kazakhstan, law enforcement officers detained 140 people for trafficking in personal data, five defendants were taken into custody

The head of the cybercrime department of the Ministry of Internal Affairs, Zhandos Sүyіnbay, said that information was obtained from state bases and distributed through instant messengers. Personal data were transferred to individual collection companies for use in their activities.

During searches in collection companies, more than 400 units of computer and other electronic equipment were seized. The seized equipment will be used as an evidence base in the initiated criminal cases.

On the fact of illegal trade in personal data, criminal cases were initiated under several articles of the Criminal Code of Kazakhstan. Law enforcement officers qualified the actions of the group under the article of the 205 part of the 3 as illegal access to information.

Also, the defendants in the case were charged under article 147 of the 5 for violation of privacy and personal data legislation. The third charge was brought under article 211 of part 3 of the Criminal Code for the unlawful distribution of electronic resources of limited access.

Zhandos Sүyіnbay noted that work to establish a full circle of involved persons continues. Investigative actions are aimed at identifying all participants in the criminal scheme and determining the extent of damage from their activities.[3]

2020: Kazakhstan approved the rules for the collection and processing of personal data

In November 2020, the order of the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan "On the approval of the rules for the collection and processing of personal data" came into force. The rules apply to relations arising between owners, operators, entities, as well as third parties in the process of collecting and processing personal data.

According to the document, the collection and processing by the owner or operator of personal data is allowed in the amount determined by the list of personal data necessary and sufficient to perform the tasks.

Kazakhstan approved the rules for the collection and processing of personal data

In this case, the list of personal data is determined and approved in accordance with the rules for determining the list of personal data by the owner or operator. The collection and processing by the owner or operator of personal data is allowed in the amount determined by the list of personal data necessary and sufficient to perform the tasks performed. In this case, the list of personal data is determined and approved in accordance with the rules for determining the list of personal data by the owner or operator.

Separately, it is said about the processing of personal data in the activities of courts. Thus, the texts of judicial acts of the Supreme Court of Kazakhstan, local and other courts, with the exception of the texts of judicial acts providing for provisions that contain information constituting a state or other secret protected by law, as well as judicial acts in cases considered in a closed trial, are placed on the services "Judicial Cabinet," "Bank of judicial acts" of the Internet resource of the Supreme Court in full.

To ensure the safety of participants in the trial and protect the secrets protected by law when collecting and using or distributing judicial acts by third parties, personal data are excluded (depersonalized) from them. At the same time, third parties undertake obligations to ensure compliance with the requirements of the law.[4]

Notes

  1. How the data of 16 million Kazakhstanis leaked: the Ministry of Ministry of Digital Development revealed the details
  2. Large-scale leak: personal data of 16 million citizens of Kazakhstan got into the network
  3. The group engaged in the sale of these Kazakhstanis was liquidated
  4. pos=4; -106 Order of the Minister of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan dated October 21, 2020 No. 395/NҚ On Approval of the Rules for the Collection, Processing of Personal Data
Источник — «https://tadviser.com/index.php/Article:Processing_of_personal_data_in_Kazakhstan»

Шестерня

The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article

If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible.

How to create a "smart plant": Key characteristics of a modern digital enterprise
Model Studio CS: How to use BIM to give new impetus to the development of the fuel and energy complex