Tvoji podaci, njihov nemar Your Data, Their Failure
Analiza procurele baze podataka pretplatnika m:SAT TV – šta se nalazi u podacima, koliko ih je i kako sve to utiče na građane Srbije. An analysis of the leaked m:SAT TV satellite television subscriber database – what the data contains, its scale, and what it means for citizens of Serbia.
Šta se tačno desilo?What exactly happened?
U martu 2026. godine, hakeri su objavili bazu podataka koja sadrži informacije o pretplatnicima m:SAT TV u rasponu od januara 2019. do decembra 2025. godine. Baza obuhvata skoro sedam punih godina ličnih i tehničkih podataka o stotinama hiljada građana Srbije.In March 2026, hackers published a database containing information about m:SAT TV subscribers, collected between January 2019 and December 2025. The database spans nearly seven full years of personal and technical data on hundreds of thousands of Serbian citizens.
Baza je nastala kroz operativni rad terenskih tehničara i call centara – svaki kontakt sa pretplatnikom prilikom instalacije, servisiranja ili raskida ugovora ostavio je trag. Podaci su distribuirani kroz mrežu partnera i podizvođača širom Srbije.The database was built through the operational work of field technicians and call centers – every contact with a subscriber during installation, service, or contract termination left a trace. The data was distributed through a network of partners and subcontractors across Serbia.
Napomena o obimu: Baza sadrži 688.884 unosa, ali ne toliko jedinstvenih osoba – svaka intervencija se beleži posebno. Ipak, 338.934 različitih JMBG-ova potvrđuje da su kompromitovani i trajno izloženi lični podaci više stotina hiljada pojedinačnih osoba.Note on scale: The database contains 688,884 records, but not that many unique individuals – each intervention is logged separately. However, 338,934 unique national ID numbers confirm that personal data of hundreds of thousands of distinct individuals has been compromised and permanently exposed.
Dubina ličnih podatakaThe depth of personal data
Baza ne sadrži samo ime i kontakt, već slojevite lične i tehničke informacije koje zajedno čine detaljan profil svakog pretplatnika.The database does not contain just names and contacts, but layered personal and technical information that together create a detailed profile of each subscriber.
| KategorijaCategory | Šta sadržiContents | RizikRisk |
|---|---|---|
| JMBG | Jedinstveni matični broj – trajni identifikator koji se ne može promenitiUnique national ID — a permanent identifier that cannot be changed | VisokHigh |
| Tačna adresaExact address | Ulica, broj, ulaz, sprat i broj stanaStreet, number, entrance, floor and apartment number | VisokHigh |
| Mobilni brojMobile number | Prisutan u 653.680 unosa (94,9% baze)Present in 653,680 records (94.9% of the database) | VisokHigh |
| Ime i prezimeFull name | Puno ime i prezime pretplatnikaFull name of the subscriber | SrednjiMedium |
| Komentari operatoraOperator comments | Slobodni tekstualni komentari u 236.060 unosaFree-text comments in 236,060 records | VisokHigh |
| Ugovorni podaciContract data | Paket, tip zahteva, distributer, datumiPackage, request type, distributor, dates | SrednjiMedium |
Opasnost leži u kombinaciji podataka. Ime + JMBG + tačna adresa + mobilni broj zajedno su dovoljni za krađu identiteta, fišing prevare i fizičko ugrožavanje. Ovi podaci se ne mogu menjati – kućna adresa i JMBG se ne mogu zameniti za nove.The combination of data is what makes this dangerous. Name + ID number + exact address + mobile number together are sufficient for identity theft, phishing, and physical targeting. These details cannot be changed – you cannot replace your home address or ID number with new ones.
Ne samo aktivni pretplatniciNot just active subscribers
Baza obuhvata sve građane koji su ikada došli u dodir sa uslugom, uključujući i one koji su uslugu odavno otkazali.The database covers everyone who ever had any contact with the service, including those who cancelled long ago.
Cela Srbija je pogođenaAll of Serbia is affected
Podaci potiču iz 151 grada i opštine širom Srbije. Svako polje na grafikonu predstavlja jednu lokaciju – veličina polja odgovara broju kompromitovanih unosa. Podaci su ravnomerno rasprostranjeni — nijedan deo Srbije nije pošteđen.The data comes from 151 cities and municipalities across Serbia. Each cell on the chart represents one location – the size corresponds to the number of compromised records. The data is widely distributed – no part of Serbia is spared.
Prelazite mišem preko pravougaonika za detalje.Hover over rectangles for details.
Sedam godina digitalnih tragovaSeven years of digital footprints
Baza obuhvata period od januara 2019. do decembra 2025. godine. Podaci su aktuelni: više od 168.000 unosa potiče samo iz 2025. godine.The database covers January 2019 to December 2025. The data is current: over 168,000 records are from 2025 alone.
Više od kontakt podatakaMore than contact data
Baza sadrži dve kolone slobodnih tekstualnih komentara koje su upisivali operateri call centra i terenska služba. Ukupno 236.060 unosa ima komentar – a u tim komentarima se nalaze neke od najosetljivijih informacija u čitavoj bazi.The database contains two columns of free-text comments entered by call center operators and field staff. A total of 236,060 records include a comment – and within those comments lie some of the most sensitive information in the entire database.
Posebno zabrinjavajuće: Komentari sadrže JMBG i lične podatke osoba koje nikada nisu bile pretplatnici usluge: članova porodice, naslednika, podstanara. Ti građani nisu mogli ni znati da se njihovi podaci drže u ovoj bazi.Particularly concerning: Comments contain national ID numbers and personal data of people who were never subscribers: family members, heirs, tenants. These people had no way of knowing their data was stored in this database.
Poslovni svet u procureloj baziBusinesses in the leaked database
Pored privatnih građana, baza sadrži poseban segment od 1.020 unosa o poslovnim korisnicima, kompanijama i preduzetnicima koji su pretplaćeni na m:SAT TV uslugu. Ti podaci su naročito osetljivi jer kombinuju lične podatke predstavnika firmi sa poverljivim poslovnim informacijama.In addition to individuals, the database contains a separate segment of 1,020 business customer records: companies and entrepreneurs who used m:SAT TV. This data is especially sensitive because it combines personal data of company representatives with confidential business information.
Za razliku od baze privatnih građana, svaki unos poslovnog korisnika sadrži i PIB kompanije i JMBG odgovornog lica — što znači da su lični podaci osnivača, direktora ili vlasnika direktno vezani za poslovne podatke firme.Unlike the individual subscriber database, every business record contains both the company tax ID and the national ID number of the company representative — meaning the personal data of founders, directors, or owners is directly linked to the company’s business data.
Primeri kompanija u baziExamples of companies in the database
Republika Srbija — MUP Ministarstvo odbrane VP2084 Vojska Srbije VP 4557 Elektromreža Srbije Novosadska toplana JKP Dom za lica sa oštećenim vidom Pančevo Dom Dorothy Beograd Etno selo Vraneša Brestovačka banja Srpska krunaDržavne institucije u bazi: Baza uključuje ugovore na ime Ministarstva unutrašnjih poslova, Ministarstva odbrane i Vojske Srbije, kao i javnih komunalnih preduzeća. Procureli podaci tako sadrže i adrese, kontakt podatke i JMBG odgovornih lica u ovim institucijama.State institutions in the database: The database includes contracts in the name of the Ministry of Interior, Ministry of Defense, and the Serbian Armed Forces, as well as public utility companies. The leaked data therefore also contains addresses, contact details, and national ID numbers of designated officials in these institutions.
Konkretni riziciConcrete risks
| RizikRisk | Kako je mogućeHow it’s possible |
|---|---|
| Fišing i prevarePhishing and fraud | Napadači znaju vaše ime, adresu i broj telefona – mogu kreirati vrlo uverljive prevare.Attackers know your name, address and phone — enabling highly convincing scams. |
| Krađa identitetaIdentity theft | JMBG + adresa + ime = dovoljan skup za otvaranje računa ili uzimanje kredita na tuđe ime.ID number + address + name = sufficient to open accounts or take out loans in someone else’s name. |
| Politička zloupotrebaPolitical misuse | Geolokacijski precizna baza – idealna za ciljanu propagandu ili manipulaciju birača.A geographically precise database — ideal for targeted propaganda or voter manipulation. |
| Fizička bezbednostPhysical safety | Tačna adresa sa brojem stana i podaci o rasporedu kretanja direktno ugrožavaju fizičku bezbednost.Exact apartment addresses and movement schedules directly threaten physical safety. |
Ovi podaci se ne mogu poništiti. Lozinku možete promeniti. Broj kartice možete blokirati. Ali JMBG, adresu i datum rođenja ne možete zameniti. Jednom kompromitovani, ovi podaci ostaju trajni rizik.This data cannot be undone. You can change a password. You can block a bank card. But you cannot replace your ID number, home address, or date of birth. Once compromised, this data is a permanent risk.
Preporuke za građaneRecommendations for citizens
| 1. | Pazite na neočekivane pozive i poruke, posebno one koje od vas traže lične podatke ili plaćanja, čak i ako zvuče uverljivo.Be wary of unexpected calls and messages, especially those requesting personal data or payments, even if they sound convincing. |
| 2. | Obratite se Povereniku za informacije od javnog značaja i zaštitu podataka o ličnosti — ukoliko smatrate da su vaši podaci zloupotrebljeni.Contact the Commissioner for Information of Public Importance and Personal Data Protection — if you believe your data has been misused. |
| 3. | Prijavite sumnjive aktivnosti Ministarstvu unutrašnjih poslova ili nadležnim institucijama.Report suspicious activity to the Ministry of Interior or competent authorities. |
Ukoliko je pretplatnik preminuo ili preneo ugovor, operator bi upisao JMBG naslednika ili člana porodice – osobe koja nikada nije potpisala nikakav ugovor.If a subscriber died or transferred a contract, the operator would record the ID number of the heir or family member — a person who never signed any contract.
* Objavljena baza sadrži stvarne podatke. Mi smo ih ovde anonimizovali.* The published database contains real data. We have redacted it here.
Razlozi navedeni u komentarima za odlaganje instalacije često otkrivaju intimne detalje o zdravlju pretplatnika ili članova porodice. To su podaci koji uživaju posebnu zakonsku zaštitu.Reasons stated in comments for postponing installation would often reveal intimate details about subscribers’ or family members’ health. Such data enjoys special legal protection.
Komentari precizno beleže kada pretplatnik nije kod kuće. To je informacija koja može poslužiti za fizičke napade ili provale.Comments precisely record when a subscriber is not at home. Such information can be exploited for physical attacks or burglaries.
Detalji o prilikama u kući — ko ima podstanara, ko se seli, ko je u bolnici — stvaraju kompletan socijalni profil pretplatnika.Details about circumstances in the household — who has a tenant, who is moving, who is in the hospital — create a complete social profile of the subscriber.