In August 2023, an illegal intervention in the State Police’s TIMS system sparked a thorough investigation. Despite early warnings from IT staff at the Police Directorate, authorities only responded after 20 hours. The IT Director was detained during the copying of TIMS data and the investigation is still in its early stages. This case exposed unlawful appointments within the police IT roles, including that of Director Muça and his staff, raising concerns over data security and misuse. Investigations continue without a defendant, while experts raise concerns about the implications of using sensitive data for criminal purposes or blackmail.
Author: Ferdinand Dervishi
“This time it’s not the Iranians. On August 2, 2023, at midnight, an alarming email was sent to the editorial offices of several media outlets, the General Directorate of Police, the Ministry of Interior, the Secret Service, SPAK, and the Prime Minister’s office. The email described an unlawful attempt to interfere with the data of the TIMS system of the State Police by the newly appointed head of the Information Technology Department, Ervin Muça.
The interference lasted for almost 20 hours, during which time the leaders of the State Police, despite being notified, did not react.”
“The police only reacted on the morning of August 3rd. Around 10:00 AM, Director Muça was caught by the investigation colleagues in the act of copying data from the TIMS system. The hard drive used to extract the data was seized as evidence, testimonies of all involved and witnesses were collected, along with the contents of the cameras monitoring the premises.
The official accusation formulated was: “Abuse of duty and unauthorized computer access.” The investigative file was sent on August 8, 2023, to the Prosecutor’s Office of Tirana as a criminal complaint. Sources from the Tirana Prosecutor’s Office affirmed about the author of the document that ‘he is only a reported person, Ervin Muça, director of the IT Department at the State Police. He is being investigated in two directions. The individuals involved in this event have been questioned and will continue to be questioned. According to preliminary data, the development of a backup procedure has been identified, but the official act of examination from the SPAK laboratory has not yet arrived. The investigation also includes the procedure for appointing Ervin Muça to the position of IT Department Director at the State Police.'”
Officially, the event was kept under wraps. Everything changed after its publication in the media, especially due to the increased impact on the public.
The first to react publicly, on August 23, 2023, through an opinion on his LinkedIn page, was the main accused in the incident, Ervin Muça. He wrote that he and his team had only intended to create a backup of the TIMS system materials to secure the database from any potential cyber-attack. When contacted by INA Media, Ervin Muça did not respond to the question of whether he had changed his initial stance, justifying the intervention in the TIMS system by performing a ‘backup’ procedure.
Cybersecurity experts refute Director Muça’s alibi. “Backups of critical systems, such as TIMS, are done automatically on a daily basis. These systems are monitored, and any unperformed backup alerts the entire management chain. Systems like TIMS cannot be stored on external storage (hard disk or USB),” stated Besmir Semanaj, a cybersecurity expert, to INA Media.
On August 25, 2023, even the Prime Minister, Edi Rama, dismissed the director’s claim, Ervin Muça, who justified the intervention in the TIMS system by aiming to perform an incomplete backup procedure. “… the serious incident did not happen, as it could not have happened because, in the attempt to create the backup, it turned out there was no backup at all,” assured the Prime Minister.
Similarly, on August 30, the Minister of Interior, Taulant Balla, didn’t mention the backup procedure as an argument but nevertheless defended the authors of the intervention in the TIMS system. ‘The truth is that a new team within the General Directorate of Police has taken over a complete overhaul of the technical administration and security,’ declared Balla.
Despite alarming accusations in the media, the heads of the Albanian state hastened to downplay the event for the public, while the opposition, despite its insistence, failed to create a parliamentary investigative commission for the TIMS system intervention.
“The fact that the event remains opaque, we’re not sure if we only have copies, but even if we do have copies, it means sensitive data, entries and exits, fingerprints, information about people under investigation or surveillance, etc., have been copied. This could be a very important database for criminal groups to monitor rival gang movements,” says Gent Progni, an IT expert. “Such databases, if sold on the black market, fetch millions of euros,” he further alarms.
But, more concerning, according to him, is the fact that this data could be used to alter identities or manipulate crime scenes. ‘The bigger problem I see is identity duplication, the use of fingerprints in different events, and even extortion. Certain groups can use this data to eliminate others or alter the identities of gang members,’ says Progni.
Unlawful appointments within the “new team”
Throughout this story, the most serious part involves the appointments at the top of the State Police of members of the “new team,” who have dubious pasts, including legal issues.
Ervin Muça, in December 2021, was “under investigation at liberty” for the scandal involving the publication of the salary data of Albanian citizens.
Nevertheless, he was appointed by the Director-General, Muhamet Rrumbullaku (by order of the Minister of Interior, Bledi Çuçi), on June 27, 2023, with no. Prot. 1178/5, to the position of Director of the IT Department in the State Police, bypassing and violating laws.
The most severe breach bears the signature of the former Minister of Interior, Bledi Çuçi because Document No. 83, dated 16.06.2023, by Minister Çuçi for the appointment of Ervin Muça, is the earliest in time. So, initially, the minister ordered the appointment of Ervin Muça, and then almost all procedures were made ready, starting from legal regulations.
Ervin Muça assumed his duties on June 19, 2023, precisely 3 days after the ministerial order and 9 days before the official appointment.
The appointment procedure demonstrates violations of laws, one after another, starting from not declaring the vacant position, testing without competitors, a commission with an unlawfully appointed chairman for evaluating the competitor, failure to complete the 4-month course at the Security Academy “for special functions in the State Police,” failure to complete the course for obtaining the Senior Management title, non-submission of the decriminalization and credibility verification form, lack of fingerprints, etc.
The most severe legal breach is the appointment of Ervin Muça without having the Personnel Security Certificate (CSP). He is found to have worked without the CSP for at least three months from the date of appointment, having unauthorized access to the police’s secret information. This was officially confirmed to INA Media by the National Authority for Classified Information Security (AKSIK).
“Ervin Muça is not equipped with the CSP (Personnel Security Certificate), and therefore, there is no valid confirmation request and compliance modeling with the new workplace data,” acknowledges AKSIK.
Besjon Tonuzi, Director in the Systems Directorate of the IT Department of the State Police, accused by colleagues of intervening in the TIMS system, was also unlawfully catapulted into the position.
The most evident unlawfulness is related to education. It is stated that Tonuzi completed higher education in Business Administration, whereas the job position requires an IT specialist as a basic condition for “acceptance into specific functions of the State Police.”
After the scandal of the intervention in the TIMS system erupted, on August 24, 2023, Tonuzi was dismissed from duty with the motivation: “The invalidity of the administrative acceptance act has been established.”
Another individual appointed contrary to the laws and regulations of the State Police is Ervina Gjana – Director of the Cybercrime Directorate.
Gjana had faced a criminal procedure in 2014 by the Internal Control Service of the Police (SHKB) for appropriating the hard disk of a personal computer while being a civilian employee in the IT Directorate of the State Police. However, the prosecutor handling the case, Gj. Tako, reduced the matter to “administrative violations,” disregarding the suggestion of the Police Judicial Officer.
The Police Judicial Officer recommended, “… the need for further investigation to find and manage additional evidence after conducting computer expertise, as there is suspicion that this hard disk might contain classified, secret information…”
Even Gjana’s appointment has an issue with the suitability of her profession. She has completed studies in Computer Engineering, while the Directorate for Cybercrime Investigations is an investigative structure.
This is also sanctioned in the vacancy announcement form, where it states: “To thoroughly understand the legal and procedural requirements related to prevention, investigation, and tracking, as well as requirements for gathering, collecting, and processing police information.”
The unlawfulness is confirmed in the appointment document. Director Rrumbullaku left incomplete the section where he should have noted the number and date of the letter from the Security Academy, which should have verified that Gjana had completed the police training course.
Even Gjana was appointed at the helm of Cybercrime without being equipped with the appropriate security certificate for the new role. The legal deficiency was confirmed by AKSIK for INA Media. Therefore, Ervina Gjana was given the opportunity to have contact with secret information without possessing the necessary security certificate.
But it gets worse. In the case of Ervina Gjana’s appointment, the State Police also engaged in a “minor” falsification on its official website. The announcement for the public declaration of the vacant position at the helm of the Cybercrime Directorate bears the date of 31.07.2023 and appears to be compatible with the decision to appoint Ervina Gjana, dated 02.08.2023.
However, everything betrays the application WeTransfer used to upload the data, which bears the date of 21.08.2023, confirming that the announcement for the vacant position of the Cybercrime Director was made 19 days after the appointment, on 02.08.2023, of the sole candidate, Ervina Gjana, to this position.
The unlawful appointments of suspicious individuals in the leadership of structures that preserve and process police secret information are ongoing.
On November 3, 2023, the Director-General, Muhamet Rrumbullaku, upon Ervin Muça’s proposal, appointed Elona Gogon to the position of Director of Programming and Database Directorate in the IT Department of the State Police. Ms. Gogon was appointed in the same manner, bypassing and expediting procedures, despite being under investigation by SPAK (since September 26, 2019), under the charge of “Violation of equality among participants in public tenders or auctions.”
The first session at the Special First Instance Court for Corruption and Organized Crime was held on June 7, 2023. Following the case’s publication in the media on November 9, Director Rrumbullaku reacted by dismissing Elona Gogon from duty with the motivation: “The invalidity of the administrative acceptance act has been established.”
The State violates the Law on Information.
Investigative Network Albania, under the Law on the Right to Information, formally requested the General Directorate of Police for documentation regarding the appointments of the “new team,” as well as clarification on legal deficiencies during the appointment procedures.
In an official response, the General Police Directorate refused to provide the requested documents, citing the conclusion of investigations, despite these documents having no connection to the confidentiality of the investigation. Furthermore, the Ministry of Interior did not respond to a request for information from INA Media regarding these appointments.
The response of these two institutions to the Commissioner for the Right to Information and Protection of Personal Data was not in favor of transparency at all. The Commissioner’s Office declined to compel the General Police Directorate and the Ministry of Interior to fulfill the requests for information concerning the appointments of Ervin Muça, Besjon Tonuzi, and Ervina Gjana. The Commissioner stated that the journalists’ request also involves questions about the procedures (regarding these appointments), and therefore, it is not regular.
The damages of the “new team.”
The “new team” of the Minister of Interior, Taulant Balla, some of whom are responsible for the intervention on August 2nd, 2023, in the TIMS system, continues working and being paid with our taxpayer money. According to police confirmation to INA Media, Ervin Muça was suspended on August 3rd, 2023, by the Central Appeal Commission at the General Directorate of Police following an investigation for serious disciplinary breaches. However, on August 8th, 2023, based on the State Police Regulations, the Central Appeal Commission suspended the suspension, allowing Mr. Muça to return to duty, reasoning that “a law enforcement implementation decision is expected from the Prosecutor’s Office of Tirana for the same matter.”
Meanwhile, people who held key positions until then were dismissed. Nevila Xoxe, Director of the Support Services Department (a pre-existing structure elevated to department level) who was initially employed under the General Director but after the scandal of intervention in the TIMS system, Xoxe was “interned” at the Academy of Security and eventually resigned on November 8th, 2023.
In response to an official request, the General Police Directorate did not clarify the reasons for Xoxe’s removal from the position of Director of the Support Services Department. Before her, four other employees of this sector had resigned or been dismissed, all due to pressure exerted by the new Director of the IT Department, Ervin Muça.
Ardit Muço, the Deputy Director of the IT Department, specialized in the United States, the same person who dared to raise the alarm and inform superiors about the August 2nd, 2023 incident, was relegated and forced to resign on September 1st, 2023, after 12 years of career in this sector.
Bruno Veizaj, the Programming Director, the specialist who built most of the programs for the State Police, was reassigned to a position where, after him, only the cleaner is seen.
Hergis Jica, Director of Cybercrime, specialized in the United States, was reassigned within the same sector to be replaced by Ervina Gjana.
Why did TIMS need copying?
Why take the risk of dubious appointments at the helm of the State Police’s IT Department and further in charge of Cybercrime, a structure responsible for investigating illegal activities in the computer field? Why was the TIMS database copied?
For experts, this entire “operation” is linked to controlling police information, particularly the secret data in the TIMS system.
Besmir Semanaj, a cyber security expert, argues that the motive might have been entirely criminal.
“Extracting data onto a USB or external hard drive is the process of selectively extracting specific data from a source, often for analysis, reporting, or migration (sending it elsewhere). But in our case, if the data was copied, the aim might have been to have complete information on specific individuals, for future use or to inform different persons, to keep records, and modify access, if under investigation, just as it could be used for blackmail,” says Besmir Semanaj.
“Blackmail could be one of the reasons; such information can impact the business world, revealing who one collaborates with or travels with,” explains Gent Progni, another IT expert.
A similarly concerning opinion was shared by the renowned criminology expert Ervin Karamuço to INA Media.
“The extraction and transfer of TIMS data likely aimed to use this material for individual or political blackmail against specific local or foreign persons, selling this data on the black market, national or international, and creating an illegal/parallel database for unauthorized data processing of targeted individuals,” says Karamuço.
“The intrusion into the TIMS system might also be connected to controlling information that serves SPAK’s investigations at high political levels,” he concludes.
Four months after the illegal intervention in the TIMS system, everything remains murky and unclear. The Tirana Prosecutor’s Office has not yet announced that any individual has become a “person of interest” in connection to the TIMS system breach, although they previously acknowledged the development of a backup procedure.
This means that individuals responsible for the unlawful intervention still have access to secret information, even though they lack security certificates.
Ky shkrim është pjesë e projektit që mbështetet financiarisht nga Zyra e Mardhënieve me Publikun e Ambasadës së SH.B.A. në Tiranë. Opinionet, gjetjet, konkluzionet dhe rekomandimet e shprehura janë te autor-it/ve dhe nuk përfaqesojnë domosdoshmërisht ato të Departamentit të Shtetit. / This article is part of a project that is financially supported by the Public Relations Office of the US Embassy in Tirana. The opinions, findings, conclusions, and recommendations expressed are those of the author(s) and do not necessarily represent those of the Department of State.