More than 600,000 Lithuanian real-estate register records, including personal identification codes, were allegedly copied after unauthorised users accessed the Register Centre through accounts linked to the Migration Department. According to LRT, the access was made from abroad, the thefts reportedly began at the start of 2026, and the data loss was noticed in early April. Among those affected were President Gitanas Nausėda, the army commander, ministers, MPs and business figures.
The case is still at an early stage, and key details remain unresolved, including how the credentials were obtained. But the information already made public points to a larger problem than one compromised database. It shows how access to a core public register can depend on accounts used by another public institution — and how slowly the state can move once suspicious access is noticed.
Migration Department director Indrė Gasperė said the Register Centre had been accessed by imitating official users from her department.
“Access to the Register Centre information systems was made by imitating that Migration Department employees were logging in,” Gasperė said.
She said she could not confirm that Migration Department employees themselves had logged in, or that the department’s own systems had been breached. According to her, real employees’ email addresses and passwords were used, while the investigation still has to establish how those credentials were obtained.
The first visible warning did not come from a public alert. According to Interior Minister Vladislav Kondratovič, the case surfaced after a citizen asked why the Migration Department had been looking at his property data.
“The first such letter was received at the end of February — on the 18th–20th — and on that basis it later became clear that the department employee did not even know that someone was using his login at the Register Centre,” Kondratovič said.
That timeline is now one of the most important parts of the story. A citizen raised the first question in February. By the end of March, the Register Centre had replied that the data had not been accessed by the real employee, but by someone else. The Economy and Innovation Ministry says it was informed on April 3 about a possible incident involving two accounts and several people’s data. The interim Register Centre head said the scale had been established by April 10 and law enforcement was informed. The wider scale was presented at an interinstitutional meeting on April 21. The public learned about the case only weeks later, after media reports and the Prosecutor General’s Office statement.
This is where President Gitanas Nausėda’s “transparent carpet” metaphor becomes more than a political phrase. The issue is not only that the public was informed late. The response chain appears to have been slow before the scandal became public at all. The case was visible inside the system before it was visible to citizens.
“I do not know why there was an attempt to sweep the dust under the carpet, because in this case the carpet turned out to be transparent and nothing can be hidden that way,” Nausėda said.
Nausėda also argued that the public should have been informed in real time, because the breach itself was already damage, while every day of delay created additional damage.
The government’s defence is that the scale and content of the incident were not known at the beginning and that premature disclosure could have harmed the investigation. Prime Minister Inga Ruginienė said that in early April “no one knew either the scale or the content of the incident” and described the investigation as complex and ongoing. Economy and Innovation Minister Edvinas Grikšas said the ministry first received limited information on April 3, while the true scale was presented on April 21.
But the communication dispute is now only one layer of the case. The other layer is security hygiene. Grikšas said that suspicious Migration Department accounts were blocked, old accounts were deleted, passwords were changed, and an anomaly-detection tool was introduced after the incident. He also said two-factor authentication at the Register Centre was only being launched after the breach.
For a public register holding sensitive personal and property data, the absence of two-factor authentication was not a technical footnote. It now looks like part of a wider security-hygiene failure that officials say had been left unresolved for years. Grikšas said additional funding had been allocated in November for IT security measures that had long been neglected, and that the Register Centre’s security debt had been growing since 2023.
Responsibility is also fragmented. The Register Centre is under the Economy and Innovation Ministry. The access route involved accounts linked to the Migration Department, which belongs to the Interior Ministry’s area. The Justice Ministry is the legal data controller for some register functions but says powers had been delegated to the Register Centre for the technical side, cybersecurity and breach notifications. The Prosecutor General’s Office says early disclosure could have complicated investigative actions, while Register Centre management acknowledges that the institution had to inform residents, with the question being how and when.
That makes the scandal more than a dispute over one missed press release. It is a test of how a digital state recognises abnormal access, escalates it, blocks compromised accounts, informs law enforcement and tells citizens that their data may already be outside the system.
For the Baltics, the Lithuanian case is an early warning rather than a finished lesson. Digital-state credibility is not measured only by the number of online services or the convenience of public registers. It also depends on the less visible layer behind them: authentication, access discipline, anomaly detection, inter-agency permissions and clear notification rules.
Even if some details of the investigation change, the structural question has already been raised. Public registers are not isolated databases. They are infrastructure layers used across ministries, agencies, courts, municipalities and private services. If credentials from one institution can become a route into another state register, the risk is no longer only technical. It becomes a question of public trust.