Root cause analysis of major cybersecurity incidents and data breaches in Kazakhstan (2017-2025)

This article analyzes the root causes of key cybersecurity breaches in Kazakhstan from 2017 through 2025. Focusing on the DamuMed health-data breach (2019), the Kaspi.kz banking outage (2020), the Zaimer.kz microfinance leak (2024), and the compilation leak of 16 million records (2025), I examine technical vulnerabilities, human factors, legal weaknesses, and infrastructural gaps that enabled these incidents. I synthesize findings from official reports, news accounts, and expert commentary, and compare them with international examples such as the 2015 U.S. OPM breach, GDPR enforcement in Europe, and UK incidents (e.g. NHS and retailer attacks). My analysis reveals common causes: poor system security (outdated software, lack of encryption or multi-factor authentication), insider misuse or error, weak regulatory enforcement, and insufficient cybereducation. I discuss how Kazakhstan’s rapid digitalization, while building strong legal frameworks (Cyber Shield strategy), has outpaced investments in security and awareness. Recommendations include strengthening regulation and enforcement (e.g. creating a data protection authority), adopting technical standards (encryption, MFA, regular audits), establishing independent supervisory bodies, expanding cybersecurity education and training, deploying AI-driven monitoring, enhancing organizational accountability (through fines and audits), and deepening international cooperation under frameworks like the Budapest Convention. These measures, grounded in evidence and aligned with best practices (NIST, ENISA, UNESCO), aim to prevent future breaches. The study’s novelty lies in an author-developed, four-factor framework applied across domestic cases to enable structured, crosscountry comparison.

1. Issabaeva A. Cyber security issues in digital Kazakhstan [Elektronnyy resurs]. - Rezhim dostupa: https://www.nispa.org/files/conferences/2019/e-proceedings/system_files/papers/cvber-securitv-issuesissabaeva.pdf(data obrashcheniya: 12.05.2025).

2. Kazakhstan leads Central Asia in cybersecurity, says new regional study [Elektronnyy resurs] // The Astana Times. - 23.07.2025. - Rezhim dostupa: https://astanatimes.com/2025/07/kazakhstan-leads-centralasia-in-cybersecurity-says-new-regional-study (data obrashcheniya: 10.08.2025).

3. Zetter K. Why the OPM breach is such a security and privacy debacle [Elektronnyy resurs] // Wired. - 12.06.2015. - Rezhim dostupa: https://www.wired.com/2015/06/opm-breach-security-privacy-debacle (data obrashcheniya: 04.02.2024).

4. Gussarova A. Technology-surveillance nexus beyond COVID-19: the outskirts of digitalisation in Kazakhstan [Elektronnyy resurs] // Foreign Policy Centre. - 2021. - Rezhim dostupa: https://fpc.org.uk/technology-surveillance-nexus-beyond-covid-19-the-outskirts-of-digitalisation-inkazakhstan (data obrashcheniya: 12.03.2025).

5. Kaspi bank: ocheredi i sboi v prilozhenii [Elektronnyy resurs] // Sputnik Kazakhstan. - 28.10.2020. - Rezhim dostupa: https://ru.sputnik.kz/20201028/kaspi-bank-ocheredi-video-15316324.html (data obrashcheniya: 17.07.2025).

6. What we know about data leak affecting 16 million Kazakh citizens [Elektronnyy resurs] // The Astana Times. - 29.07.2025. - Rezhim dostupa: https://astanatimes.com/2025/07/what-we-know-about-data-leakaffecting-16-million-kazakh-citizens (data obrashcheniya: 01.08.2025).

7. Pierides M., Cavendish C. ICO GDPR fines reduced to £20m and £18.4m to reflect British Airways and Marriott mitigating factors [Elektronnyy resurs] // Tech & Sourcing@Morgan Lewis. - 06.11.2020. - Rezhim dostupa: https://www.morganlewis.com/blogs/sourcingatmorganlewis/2020/11/ico-gdpr-finesreduced-to-20m-and-18-4m-to-reflect-british-airwavs-and-marriott-mitigating-factors (data obrashcheniya: 20.12.2024).

8. Treanor J. Tesco Bank cyber-thieves stole £2.5m from 9,000 people [Elektronnyy resurs] // The Guardian. - 08.11.2016. - Rezhim dostupa: https://www.theguardian.com/business/2016/nov/08/tescobank-cyber-thieves-25m (data obrashcheniya: 03.01.2025).

9. Kazakhstan data breach - an overview [Elektronnyy resurs] // CERTPro. - 2024. - Rezhim dostupa: https://certpro. com/kazakhstan-data-breach (data obrashcheniya: 29.01.2025).

10. Ministerstvo tsifrovogo razvitiya Respubliki Kazakhstan. Kazakhstan strengthens positions in Global Cybersecurity Index 2024 [Elektronnyy resurs] // Gov.kz. - 12.09.2024. - Rezhim dostupa: https://www.gov.kz/memleket/entities/mdai/press/news/details/8455207lanFru (data obrashcheniya: 22.08.2025).

11. Alexandrova A., Kuznetcov A., Arkhipova O. Analysis of major factors preventing cybercrime reduction in Kazakhstan [Elektronnyy resurs] // CEUR Workshop Proceedings. - Vol. 3680. - 2023. - Rezhim dostupa: https://ceur-ws.org/Vol-3680/S4Paper3.pdf (data obrashcheniya: 22.08.2025).

12. Utechka dannykh tysyach patsientov proizoshla v Kazakhstane [Elektronnyy resurs] // Tengrinews.kz. - 07.2019. - Rezhim dostupa: https://tengrinews.kz/kazakhstan news/utechka-dannyih-tyisyachpatsientov-proizoshla-v-kazahstane-373363 (data obrashcheniya: 22.08.2025).

13. Ministr prokommentiroval sboi Kaspi.kz [Elektronnyy resurs] // Tengrinews.kz. - 29.10.2020. - Rezhim dostupa: https://tengrinews.kz/kazakhstan news/ministr-prokommentiroval-sboy-kaspikz-418520 (data obrashcheniya: 22.08.2025).

14. Kazakhstan probes massive data leak involving 16 million citizens [Elektronnyy resurs] // Orda.kz (English ed.). - 17.06.2025. - Rezhim dostupa: https://en.orda.kz/kazakhstan-probes-massive-data-leakinvolving-16-million-citizens-6914 (data obrashcheniya: 19.06.2025).

15. Zaimer.kz oshtrafovali na 18 mln tenge za massovuyu utechku lichnykh dannykh [Elektronnyy resurs] // Orda.kz. - 03.2024. - Rezhim dostupa: https://orda.kz/zaimerkz-oshtrafovali-na-18-mln-tenge-zamassovuiu-utechku-lichnyh-dannyh-384516 (data obrashcheniya: 28.07.2025).

16. Financial Conduct Authority. FCA fines Tesco Bank £16.4 million for IT control failures [Elektronnyy resurs]. - 01.10.2018. - Rezhim dostupa: https://www.fca.org.uk/news/press-releases/fcafines-tesco-bank-failures-2016-cyber-attack (data obrashcheniya: 05.02.2025).