Official Press Release from Documentolog and CARCA

Documentolog, in collaboration with the Non-Profit Organization «Center for Analysis and Investigation of Cyber Attacks» (CARCA), has released an official press release regarding the incident involving the discovery of a vulnerability in the Documentolog EDS. 

The parties have reached a mutual understanding and declare that a peaceful agreement has been achieved regarding the situation. Additionally, CARCA has offered its official apologies to LLP «Documentolog» for the manner in which the information about the incident was presented and for any potential damage it may have caused. 

In turn, LLP «Documentolog» acknowledged the existence of shortcomings in ensuring information security, which were caused by human factors and errors in server settings. Upon receiving information about the incident, LLP «Documentolog» immediately took all necessary measures to neutralize any threats. 

Documentolog takes the situation seriously and intends to implement a series of measures to enhance information security within the company and specifically in the Documentolog EDS, including:

• implementation of mandatory two-factor authentication for system administrators and users, 
• logging and preventive analysis of any actions and changes in the company’s infrastructure, 
• monitoring the hash sums of all production instances, 
• conducting an audit of the information security system, 
• entering into a contract with an external company for log analysis (SIEM) of our systems, certifying 2 employees in RHCA and OSCP, 
• increasing information security literacy among company employees 
• and other measures.

In addition, a meeting took place between the General Director of LLP «Documentolog» Baizhan Kanafin and the Director of the State Technical Service Yerzhan Birzhanov, where they discussed options for cooperation and began working on issues in several areas, including conducting an audit of the Documentolog information security system. 

There are also plans to revise contracts and user agreements between Documentolog and its clients to clarify the responsibilities of the parties regarding confidentiality breaches and other actions that may cause damage or losses to either party.

Signed press release: