End of August 2022, the websites of the Montenegrin Government’s ministries, revenue and customs were compromised by an unknown hacker(s). No official announcement was made of the damage caused by this act, including data loss, as the team of forensics is still conducting an investigation.
What has been immediately reported and publicly noticed, was the lack of fiscal receipts. Many POS systems came to a halt as they are Internet (online) dependent. The fiscalization server at the Tax Authority became unavailable to respond to hundreds of thousands of API calls made from sales points that occur on a daily bases.
The fiscalization model in Montenegro is known as the online model, the same as in Croatia, Slovenia and the Czech Republic. Fiscal receipts are digitally signed in real-time using the web service centrally made available by Tax Authority. In case of web service unavailability, the Law prescribes issuance of non-fiscal receipts (without digital stamp) with the obligation that they are sent, no later than a few days after issuance, to the same web service for post-festum stamping.
The post-festum stamping has its own risks, thus it is not the favorite option of the Tax Authority. During this downtime, receipts may go missing and there is no information to connect the gap as each receipt contains only information about that individual transaction. This model of fiscalization presumes that Internet interruptions are insignificantly short and rare so the data loss is minimal. However, this situation proves that the online model is extremely vulnerable, especially because many vendors have failed to account for the downtime incident and have blocked receipt issuance in case of web service unavailability. Some manufacturers choose not to have redundancy if it is not compulsory.
- “The Director of the Directorate for Information Security, Dusan Polovic, said that “150 cells” in a dozen state institutions were infected, and that the data of the Ministry of Public Administration was not permanently damaged. “The infected stations have been removed from the network and hard drives have been removed from them for further forensics,” he said, adding that “the priority is to put the tax system into operation, but this will be done only when it is completely secure.”