Interior minister addresses shortcomings in ministry’s IT systems

Lithuania’s interior minister, Vladislavas Kondratovičius, has acknowledged persistent shortcomings in the Interior Ministry’s (VRM) information systems, stating that resolving them will take time, LRT reports.

Responding to Defence Minister Robertas Kaunas’ remarks that the National Cyber Security Centre (NKSC) identified flaws in VRM’s IT systems in 2022 but the ministry failed to act sufficiently, Kondratovičius said most recommendations had been implemented.

“Our institution, the Department of Informatics and Communications (IRD), conducted an assessment and achieved over 96% compliance with NKSC recommendations,” the minister told journalists. He added that if recommendations had been ignored, such compliance would not have been possible.

Regarding the 2022 report, Kondratovičius noted that the previous leadership had already addressed over 80% of the issues. “There are still things to do, but these cannot be fixed in a day. We’d like to act quickly, but human resources, as well as financial and technical factors, require time,” he said.

His comments follow reports that authorities are investigating potential unauthorised access to the accounts of dozens of VRM employees. According to the 15min news portal, ministry officials may have been aware of breaches in several IT systems as early as May, with discussions held in inter-agency meetings.

The Prosecutor General’s Office is probing an incident involving the theft of over 600,000 real estate records from the Centre of Registers (RC), causing damage estimated at no less than €111,000. The State Data Protection Inspectorate estimates that around 500,000 individuals were affected.

Opposition lawmakers have gathered signatures to launch a temporary parliamentary investigation commission to examine the data breach. Former RC director Adrijus Jusas, who has since resigned, stated that the large-scale data leak was detected in early April, but legal restrictions tied to an ongoing pre-trial investigation, launched on 5 April, limited public disclosure. The RC maintains its duty was to inform affected individuals, not the public, about the breach.