Unresolved major problem

A person’s full name, passport details, address, bank cards, and similar personal information can sell for between $150 and $1,000. These are the “average” prices for citizens of developing or middle-income countries. Data belonging to citizens of the United States and Europe is sold for thousands of dollars or more. There is no shortage of buyers, and payments are made immediately. These prices are based on Darknet transactions and are listed on the Compare Cheap SSL platform. After reading this, it should already be clear what topic we are discussing.

Your personal data — passport series and number, credit history, bank account details, and even diploma records — may already be for sale somewhere. The recent revelation that hackers allegedly stole personal data belonging to more than 15 million Uzbek citizens has been widely discussed. This article examines the issue from a different angle, beginning with a review of hacking incidents and system breaches in Uzbekistan, from minor cases to major ones.

Indecency at a metro station

Many will recall the incident on April 12, 2021, when an obscene message appeared instead of the time on an electronic clock at the third station of the Sergeli line of the Tashkent Metro. The incident sparked widespread discussion for several days. Following an internal investigation, officials stated that hackers had gained access to the clock mechanism. Because the system was electronic and operated via Wi-Fi, individuals with sufficient technical knowledge were able to exploit this vulnerability.

It would be inaccurate to say that no one asked why security had not been strengthened despite such easy access. Many people raised this question. The issue, however, was whether anyone could provide a clear answer. This leads to a broader concern: if anyone can display any message on a public information board in a crowded area, what prevents malicious use tomorrow — propaganda, provocation, or something far more dangerous?

Pornographic content displayed on a main street

An even more scandalous incident occurred on March 31, 2022, in the Khorezm region. Many will remember how a pornographic video was displayed on a large advertising screen in the middle of a busy street during daytime hours. For several minutes, the explicit footage continued to play. Women, children, drivers stopped at traffic lights, public transport passengers — virtually everyone passing by — witnessed it.

After public outrage, the incident was officially explained as employee negligence, and the responsible individual was dismissed. However, it is difficult to believe that prohibited video material could appear on a public street screen solely due to carelessness.

Teenagers hacking the Senate website

The most serious case occurred on November 2, 2022, when the official website of the Senate of the Oliy Majlis of Uzbekistan was hacked. The most striking detail was that the attack was carried out by a group of six Uzbek teenagers aged 14 to 15. School students managed to breach the Senate’s website and even left a mocking message reading, “Greetings to the Cybersecurity Center.”

In a television interview, the leader of the hacking group said they wanted to demonstrate vulnerabilities in the system. This raises a critical question: if teenagers could do this, what are experienced hackers capable of? It was later reported that these teenagers were offered jobs at the cybersecurity center. Whether they still work there remains unclear.

A system flaw allowed anyone to watch Uzbekistan’s streets

Another alarming case became public in December 2025. Traffic cameras across Uzbekistan, used to monitor road violations, were left openly accessible on the internet. This meant that anyone, even from abroad, could watch live footage of Uzbekistan’s streets. The cameras remained exposed for four months, unnoticed by responsible authorities. Action was taken only after the US-based publication TechCrunch reported the issue.

These cases suggest that several warning signs appeared long before the personal data of 15 million citizens was allegedly leaked. And yet, no decisive action followed.

Under President Shavkat Mirziyoyev’s initiative, IT centers were established across the country. Tens of billions are allocated annually. Officials emphasize that IT is a sector of the future and that strong specialists must be trained. Preferential tax regimes were introduced, and salaries increased significantly. However, the current situation does not reflect these investments. Blaming the problem on a lack of qualified personnel would be misleading. After all, the teenagers who hacked the Senate website were also Uzbek. This has fueled public claims that key positions in the sector are occupied not by real professionals, but by individuals appointed through favoritism.

What is the price of personal data?

The data leak coincided with the completion of the online population and agricultural census conducted between January 15 and 31, raising many questions. The assumption is not without logic, as a database containing information on 15 million citizens is not something easily obtained.

However, the Statistics Committee stated that all data collected during the census is stored in encrypted form on separate servers. It also emphasized that personal data is fully protected, no photographs were taken during the process, and no images were uploaded to the database.

Not everyone is convinced by this official response. Several questions remain unanswered. Who is responsible for the leak? What were the causes and consequences? How serious is the threat?

When the first reports of the leak emerged, many rushed to offer advice, such as disabling credit access via My.gov or changing passwords. However, a logical question arises: if hackers already possess nearly all personal data, would they not also be able to access those systems? Could they not simply reset credentials? After all, they may already have passport numbers, SIM card data, and more. QALAMPIR.UZ examines potential risks based on global cases.

It has been reported that data on nearly half of Uzbekistan’s population is circulating on platforms such as the Darknet — the hidden and dangerous side of the internet, where anything from tanks to fake passports can be sold. Ordinary search engines do not work there, access requires special software, and illegal trade, hacking, fraud, and criminal activity are common.

For example, a single email and password can sell for at least $5. Phone number databases cost around $50, social media account credentials up to $70. Bank card details sell for $100 to $1,000, online banking access for $50 to $500, and complete credit profiles for $200 to $2,000. Medical data starts at $1,500, while government or VIP information can cost tens of thousands of dollars.

Who needs this data and for what purpose?

Buyers of personal data on the Darknet are not professional hackers, but criminal groups that know how to profit from stolen information. Using bank data, login credentials, and full personal profiles, they steal money, take out loans, commit fraud, and engage in blackmail. As a result, the trade in stolen data is not only a technological threat, but also a social and economic one.

Those receiving calls from numbers starting with the 71 code, hearing AI-generated voices, or seeing hacked Telegram accounts used to request money from contacts may now better understand how these schemes operate.

Reports have also emerged claiming that a single hacker gained access to Uzbek citizens’ data and demanded €200,000 in exchange for not releasing it and for identifying system vulnerabilities. Given the information above, it is no longer difficult to understand how such a demand could be made.

Citizens’ data in Uzbekistan is stored across numerous institutions — medical, social, personal, educational, pension-related, and records of individuals with protected medical conditions. Is there any guarantee that this data will not also be leaked? Can anyone confidently reassure the public? Will clear and credible information be provided today or tomorrow? Will the repeatedly cited “preliminary investigation” ever truly conclude?

There are many questions, but few answers. When reliable and substantive explanations emerge, we will return to this topic. Until then, protect yourselves — and your access codes.

Nurzodbek Vohidov