Cyber Attack on Romania Land Registry: Exposed Data for Sale
Romania’s National Agency for Cadastre and Land Registration faced a cyberattack, causing the e-Terra platform to go offline.
Incident Overview
Romania’s National Agency for Cadastre and Land Registration experienced a significant disruption on July 14, 2026, when its e-Terra digital land registry platform became inaccessible. Initial reports described the incident as a technical failure, but subsequent investigations confirmed it as a cyberattack. The e-Terra application is expected to remain offline through the end of the week, according to a statement released on July 15.
Technical Failure or Cyberattack?
State authorities are examining the circumstances, though the agency has stated that data managed through its systems remains unbreached. The agency expressed regret over the situation and emphasized that technical teams are prioritizing system restoration under secure conditions.
Agency Response
Updates will be provided as the investigation progresses, but the outage has already impacted ongoing real estate transactions. A senior partner at Romanian advisory firm Veridio highlighted the broader issue of digital infrastructure lacking fail-safe mechanisms, noting that system dependencies must be balanced with contingency planning to ensure reliability.
System Dependencies and Contingency Planning
Veridio’s senior partner emphasized the need for robust contingency measures to prevent disruptions in critical services like land registration.
Threat Actor Details
A threat actor operating under the alias ByteToBreach has claimed responsibility for the breach, asserting that data from ANCPI systems is being offered for sale on a dark web forum. The actor alleges access to citizen information, internal databases, and copies of the agency’s GitLab servers, including source code. Ransomware deployment is also reportedly part of the attack.
Methods and Previous Activities
ByteToBreach has previously distributed stolen data from global organizations, employing tactics such as exploiting cloud and corporate infrastructure vulnerabilities, reusing credentials obtained via phishing or infostealer malware, and leveraging brute force or misconfigured access points.
Cybersecurity Implications
Cyber intelligence firm KELA Cyber noted that past incidents involving the actor have included verifiable datasets, suggesting the current allegations may hold merit but remain unproven. The attack underscores vulnerabilities in critical public infrastructure, with the threat actor’s methods reflecting a pattern of systemic exploitation.
Verification and Unproven Claims
KELA Cyber highlighted that while the actor’s past actions are verifiable, the current claims lack proof. The agency maintains that no data has been compromised, but the incident raises concerns about digital governance security.
Ongoing Investigation
The situation is under active review by relevant authorities, with further developments expected as the investigation continues. Proof of the intrusion includes screenshots shared by the actor.
“System dependencies must be balanced with contingency planning to ensure reliability,” said a senior partner at Veridio.
“Past incidents involving the actor have included verifiable datasets,” noted KELA Cyber.
