Lithuania is investigating one of the most politically charged data breaches in its recent history: the theft of more than 600,000 records from the Centre of Registers (Registrų centras), the state agency that maintains the country’s real-estate and legal-entity registries. The records — names, dates of birth, national identification numbers, property addresses and cadastral information — represent personal data tied to a meaningful slice of a nation of fewer than three million people.

What elevates this from a routine government breach to a national-security incident is how the attackers got in, and who officials believe is behind it. The intrusion did not exploit a software flaw. It exploited trust — and senior Lithuanian politicians say it bears the hallmarks of a Russian intelligence operation.

A breach through the front door

According to prosecutors, the attackers did not break the Centre of Registers’ systems so much as log into them. They obtained or compromised valid login credentials belonging to Lithuania’s Migration Department — an institution with legitimate, authorized access to the registry for official purposes — and used those credentials to issue large volumes of queries from abroad over an extended period.

The system, by the prosecutors’ own account, was wide open to this kind of abuse. There was no two-factor authentication on the privileged accounts, no monitoring of user activity, and no limits on interagency query volumes. A legitimate set of credentials, once stolen, could quietly pull hundreds of thousands of records without tripping a single alarm. The estimated direct financial damage stands at around €111,000 (about $129,000), but the strategic cost is far harder to price.

Contact details, bank accounts, payment information, court rulings and cadastral measurement files were not compromised, authorities said — a small mercy in an otherwise damaging exposure.

The addresses no one wants leaked

The most alarming concern is not financial fraud but physical exposure. Opposition leader and former Defense Minister Laurynas Kasčiūnas warned that the residential addresses of intelligence officers, military personnel, diplomats, politicians and civil servants may sit within the 600,000 extracted records.

For a country that shares borders with Russia’s Kaliningrad exclave and with Belarus, that is a grave prospect. A property registry tying named individuals to their home addresses is precisely the kind of dataset a hostile intelligence service would prize — for surveillance, coercion, or worse. Lithuania has repeatedly accused Moscow of hybrid operations, from cyberattacks to disinformation campaigns, and this breach slots neatly into that pattern.

Kasčiūnas alleged the intrusion carries “the hallmarks of a Russian intelligence operation,” though he presented no public evidence and authorities have neither confirmed nor denied Russian involvement. President Gitanas Nausėda went further in characterizing the threat, stating that “hostile states” orchestrated the theft.

Timeline and fallout

The breach was first detected in early April 2026, though unauthorized access is believed to have begun earlier in the year. Prosecutors made the incident public on May 26, 2026, and the political consequences were immediate. The following day, May 27, Centre of Registers director Adrijus Jusas resigned.

“Given the sensitivity of the situation, I have decided to step down and hand over responsibility to other professionals,” Jusas said in his statement.

The investigation, led by Lithuania’s Prosecutor General’s Office, remains open as authorities work to determine the full scope of the extraction, how the Migration Department credentials were compromised, and whether the data has already changed hands.

The lesson: authorized access is the new attack surface

The Lithuania breach is a textbook illustration of a threat that defenders consistently underweight. There was no zero-day, no malware, no dramatic perimeter breach. There was a trusted account, a stolen password, and a system that assumed anyone holding valid credentials was acting in good faith.

Interagency data-sharing arrangements multiply this risk: every institution granted query access becomes a potential entry point, and the security of the central registry is only as strong as the weakest credential held by any connected agency. Without multi-factor authentication, anomaly detection on query patterns, and hard volume limits between agencies, a single compromised login at a peripheral department can quietly drain a national database — exactly as it did here.

For governments digitizing their citizen registries, the takeaway is uncomfortable but clear: protecting the database is not enough. Every credential that can reach it must be protected with the same rigor — because to the system, a stolen login from a trusted partner looks identical to a legitimate one.

Sources