If you're a business owner in Kazakhstan reading this article, there are password-brute-force attempts hitting your corporate website right now. Not theoretically. In real time. According to the Ministry of Digital Development of Kazakhstan, thousands of DDoS attacks are repelled every minute. In the first quarter of 2025 alone, more than 30,000 information security incidents were recorded in the country — twice as many as the year before.
What Has Actually Happened in Kazakhstan in Recent Years
To put the scale into perspective — here are real cases.
"Residents of Kazakhstan 2024." In June 2025, a CSV file containing data on 16.3 million Kazakhstanis appeared in public access — the largest personal data breach in the country's history. TSARKA confirmed its authenticity. Names, IIN numbers, phone numbers, addresses — all publicly exposed.
- Zaimer.kz. Personal data of millions of MFO clients became publicly accessible due to weak encryption and outdated systems.
- Alma TV. 9 May 2025 — a multi-layered cyberattack that paralysed the service's operations.
- Astana Airport. Hackers compromised the official website; TSARKA conducted an investigation.
- KazNU. Personal data of hundreds of female students, including medical examination results, became publicly accessible.
And these are only the publicly known cases. Most companies conceal breaches — because news of a hack destroys client trust far more than the breach itself.
What It Costs a Business
According to Cloudtek's research, in 2025, 68% of Kazakh companies that suffered cyberattacks lost at least 4.5 million tenge. That figure includes:
- Business downtime during recovery (average: 3–7 days after a ransomware attack)
- Forensics and data-recovery costs
- Ransom payments (ransomware targeting 1C in Kazakhstan — around $5,000)
- Fines under Article 147 of the Criminal Code of Kazakhstan for disclosure of personal data
- Legal costs from disputes with affected clients
- Long-term reputational damage
Five Common Attack Types Targeting Kazakh Businesses in 2026
Accounting Phishing
60% of all successful attacks in Kazakhstan start with a fake email "from the bank" or "from the tax authority." An accountant opens a "payment report" — the file turns out to be a Trojan, and within hours the entire corporate network is compromised.
Ransomware Targeting 1C
A virus encrypts the accounting system's database. A message appears on screen demanding a cryptocurrency transfer in exchange for decryption. The average ransom in Kazakhstan is around $5,000 — but it can be significantly higher. Some companies pay; others lose their data permanently.
DDoS Extortion
Hackers send a message: "Pay $500 or we'll take your site down for a week." They demonstrate capability with a brief test DDoS. Some companies pay — and the extortion repeats.
Exploiting WordPress Plugin Vulnerabilities
If your site runs on WordPress and you haven't updated plugins in a while — it's only a matter of time before you're hacked. In 2024–2025, dozens of critical vulnerabilities were found in popular WP plugins with millions of installations.
Access by Former Employees
According to Kaspersky, 37% of dismissed employees still have active access to corporate accounts months after leaving the company.
The Digital Code and Legal Liability
In January 2026, Kazakhstan signed the Digital Code into law. For the first time, citizens' digital rights — including personal data protection — are enshrined at the constitutional level.
85% of Kazakh companies violate data localisation rules without even realising it. Google Drive with client data? A violation. A CRM hosted on servers in the US? A violation. As regulatory enforcement tightens, all of these practices will start attracting fines.
- Article 147 of the Criminal Code of Kazakhstan — criminal liability for disclosure of legally protected secrets.
- Administrative fines for violations of personal data protection requirements — up to several million tenge.
- Revenue-based fines modelled on GDPR — a percentage of annual turnover — are under discussion.
Typical Vulnerabilities in Website Builder Sites
If you had a site built by a freelancer for 50,000 tenge or assembled it on a website builder — your security is almost certainly non-existent:
- Weak passwords. WordPress and Tilda don't enforce strong passwords by default. A brute-force attack will crack "admin123" within minutes.
- No 2FA. Standard template sites either lack two-factor authentication entirely or require a separate plugin to enable it.
- No rate limiting. Anyone can submit a thousand enquiry forms in under a minute.
- Open directories. /wp-admin/, /wp-includes/, database dumps publicly accessible — hackers actively scan for exactly these.
- Outdated plugins. If a plugin hasn't been updated in six months and a vulnerability is discovered — your site will almost certainly be compromised.
- No backups. Without a recent backup, the only option is to rebuild everything from scratch.
What Every Serious Website Should Have
What to Do Right Now
A five-minute check — do it now:
- Open your site. It must have HTTPS (the padlock in the address bar). If it doesn't — your site is insecure.
- Open the admin panel. If the password is "admin," "123456," or your company name — change it immediately.
- Ask your developer when the last backup was taken and where it's stored.
- Find out where your website's servers are physically located. If not in Kazakhstan — that's a legal violation.
If any of these checks raises a red flag — it's time to talk to serious developers.
Security as Architecture, Not an Add-On
Amanix has been building custom websites in Kazakhstan since 2023. Cybersecurity is not an optional extra for us — it's a mandatory part of every project's architecture from day one.
What we implement by default: HTTPS with TLS 1.2+, bcrypt, JWT with refresh tokens in Redis, parameterised SQL, XSS/CSRF protection, rate limiting, CORS whitelist, secure file uploads, daily backups to separate storage, regular CVE monitoring, and servers hosted in Kazakhstan.