Newsroom
Two key online government services in Cyprus have been operating for months with serious security vulnerabilities, a local cybersecurity expert has revealed.
The discovery, made by chance during routine online activity, was reported immediately to the relevant agencies and administrators. But despite repeated alerts, no effective action has been taken. In one case, tens of thousands of personal records remain exposed.
24news, which is aware of the two affected services, has chosen not to name them to prevent potential misuse by malicious actors.
The discovery
The vulnerabilities were found in two primary government portals used daily by tens of thousands of citizens to submit applications. The cybersecurity expert stumbled upon the flaws through simple interactions with the websites.
Case one: Critical security breach on government website
In September 2024, while submitting an application through a state website, the expert discovered a critical flaw that he rated at the highest level of severity. Left unaddressed, it could allow hackers to steal personal data or even breach the entire network.
Experts stressed that this case should have been treated as an urgent priority.
Attempts to contact the website’s owners hit a wall when the expert was told the site’s administrator had retired and “no replacement has been found yet.”
Despite multiple reminders from the Digital Security Authority, the issue lingered. In 2025, an external company was brought in to fix the problem. Efforts made in June failed to resolve it. A recent final review confirmed the security gaps remain, prompting a decision to take further measures.
Case two: Personal data exposed via government portal
The second case involves a government portal where a simple search function reportedly exposed personal details of citizens, including names, passport and ID numbers, birth dates, and employment information. According to the expert, tens of thousands of records could be accessed by anyone using the service.
The complaint reached the Digital Security Authority on May 8, which instructed the responsible state body to fix the issue.
George Michaelides, Commissioner of Communications and head of the Digital Security Authority, confirmed to state broadcaster CyBC that two institutions had reported potential vulnerabilities:
“We have checked these vulnerabilities and are now in consultation with both organizations. The next step is compliance, moving from the purely technical to the legal stage, setting timelines for implementation. This could end in recommendations or even fines, though our goal is not to issue penalties but to upgrade the security of the systems.”
However, sources from the Office of the Commissioner for Personal Data Protection have not confirmed any actual breach of personal data in the second case as described.
*Source: 24News
