The Personal Data Protection Agency (AZOP) has confirmed that the data of over one million car owners leaked in May matches the register of the Croatian Insurance Bureau. The data was not found in the public domain. Checks with the Croatian Centre for Vehicles, the Ministry of the Interior and other bodies revealed that they are not in possession of the structure of the leaked data.

AZOP continues to investigate the extraction of the personal data from the Croatian Insurance Bureau database and will keep the public informed as soon as new information is available. The data includes names, addresses, personal identification numbers, dates of birth, registration details and insurance policy information.

At the end of May, the daily newspaper Vecernji List reported on a document according to which the Security and Intelligence Agency (SOA) had received information about the leak, which concerns 2,444,587 vehicles belonging to 1,195,052 people. Interior Minister Davor Bozinovic emphasised that the leak did not originate from his ministry and that the data was not publicly accessible.

However, the Croatian Insurance Bureau denies this. The full statement can be found below.

“In accordance with the Act on Compulsory Insurance in Road Traffic and the Insurance Act, the Croatian Insurance Bureau collects data on licence plates and other information on vehicles and compulsory motor vehicle liability insurance. The data on motor vehicle liability insurance is stored in the database of the Information Centre of the Croatian Insurance Bureau, which was established to enable injured parties to claim compensation for damage caused in road accidents (Article 52 of the Act on Compulsory Road Traffic Insurance).

In fact, the Croatian Insurance Bureau collects and processes the data under the supervision and investigation of AZOP, which only established the similarity of the data with the database of the Croatian Insurance Bureau, but not the circumstances of the data breach. However, based on internal reviews and investigations by independent experts, the Croatian Insurance Bureau is of the opinion that it is not responsible for the fact that the data has been obtained by unauthorised persons and that other entities besides the Croatian Insurance Bureau have access to this data.

This is because the Croatian Insurance Bureau has passed on the data to other competent authorities on the basis of official requests and orders, for example to improve road safety. We note that the Croatian Insurance Bureau is obliged to co-operate with the competent authorities, including complying with official requests to provide data.

We expect AZOP to take further monitoring measures to determine how the data was obtained by unauthorised persons.

The Croatian Insurance Bureau is cooperating fully with AZOP and other authorities in this case and is conducting additional internal investigations to fully investigate the matter and protect the security of the personal data in its possession.”