Lithuania’s interior ministry reports potential biometric data leak to prosecutors

The Lithuanian interior ministry has referred information about a possible biometric data leak to the prosecutor general’s office, following public reports of a security breach, LRT reports.

The ministry stressed in a statement that residents’ biometric data—stored in the Migration Information System (MIGRIS), the ID Document Issuance Information System (ADIS), and the Population Register—remain secure. No evidence of unauthorised access or disruption to these systems has been found.

“In light of publicly disclosed information and to assess potential risks, the ministry has asked prosecutors to confirm whether they possess any data related to the reported circumstances involving possible breaches or leaks in the ADIS and MIGRIS systems,” the statement read.

The move follows a 15min.lt report last week revealing that authorities are investigating not only a data leak at the Centre of Registers (RC) but also potential unauthorised access to email accounts of employees under the interior ministry’s jurisdiction. Sources suggested ministry leadership may have been aware of breaches affecting dozens of IT system accounts as early as May.

Interior Minister Vladislav Kondratovič said both ministry and public biometric data remain secure, clarifying that current concerns involve employee email accounts rather than systemic data leaks.

Prosecutors expand probe into registry breach

The prosecutor general’s office has broadened its pre-trial investigation into the RC data leak to include possible dereliction of duty in ensuring system security. The probe, initially launched in April, previously covered unauthorised data transfer, system access, and misuse of credentials.

Elena Martinonienė, head of the prosecutor’s communications division, confirmed the investigation now examines whether officials failed to properly secure IT systems, access protocols, and related accounts under Article 229 of the Criminal Code (“Failure to Perform Official Duties”). No suspects have been named.

The RC breach reportedly involved the theft of over 600,000 property records, with estimated damages exceeding €111,000. The State Data Protection Inspectorate estimates around 500,000 individuals were affected. Opposition lawmakers have collected signatures to establish a parliamentary commission to investigate the incident.

Adrijus Jusas, the former RC director who resigned amid the scandal, claimed the large-scale leak was detected in early April but that legal restrictions tied to the ongoing prosecution limited public disclosure. The RC maintains its duty was to notify affected individuals, not issue broader public alerts.