National Data Protection Commission received notification, but the entity that manages the Digital Mobile Key denies data leakage
The National Data Protection Commission (CNPD) confirmed this Monday that it received a notification regarding the cyber attack carried out against the Chave Móvel Digital tool last week. In a brief response to Expresso, the CNPD confirms that the Agency for Administrative Modernization (AMA) “has already notified the breach of personal data” relating to CMD – but this information may not be enough to deduce that there was extraction of information from users or professionals who deal with the tool that allows digital signatures to be made with legal value, reiterates the Ministry of Modernization.
Questioned by Expresso, the Ministry of Youth and Modernizationwhich is led by Margarida Balseiro Lopes, clarifies that the notification sent to the CNPD is limited to complying with the 72-hour deadline that the law establishes for incidents such as cyberattacks against the systems that support the CMD, which was reported last Thursday.
According to the Ministry, the notification revealed this Monday is limited to informing the CNPD that “there is no knowledge of data exfiltration” relating to CMD users. With this response, the Ministry intends to curb fears of a large data leak that could put at risk the authentication and digital signatures system that is provided by the State and which surpassed two million users in 2021.
On social media and on its own rehabilitated address, AMA provides news about the reestablishment of the Gov.pt portal, which brings together Public Administration digital services; Mosaico, which serves as a reference for the development of new services; the Mais Transparência Portal, and Digital.gov.pt, which aims to promote digital transformation.
The Administration’s SMS sending service, known as GAP, also returned to normal. The rehabilitation of services has been carried out together with the support of the National Cyber Security Center and the Judiciary Police.
AMA has been taking stock of the cyber attack on social media and in a website created for this purpose. The entity that manages the CMD also warns of fraud attempts that have been circulating on cell phones and the Internet with the aim of requesting the sending of credentials and data from Digital Mobile Key users.
“AMA will not request, through any channel, personal information to recover Digital Mobile Key (CMD) credentials or to access services. These possible contacts should be ignored by the citizen”, says WADA on the website it created to facilitate communication with citizens about recovery from the cyber attack.
There is no mention on the website of the total rehabilitation of the CMD, but on the AMA page and other State electronic services it is possible to confirm that the first steps have already been taken for the CMD to be reactivated. According to Expresso from a government source, the CMD has already been rehabilitated – but is still partially functioning. And this may have been one of the reasons why AMA and the Ministry of Modernization did not mention the full return of the CMD.
