Reported by
Romanian anti-corruption prosecutors are investigating a 38 million-euro ($44.6 million) IT project at the National Trade Registry Office (ONRC) after the system caused major service disruptions and exposed personal data, according to reporting by OCCRP member center Public Record.
The platform, launched in summer 2024, blocked more than 130,000 business registrations for weeks, disrupting company formation nationwide and frustrating users.
The registry, overseen by the Ministry of Justice, manages official records for more than 1.7 million people and companies.
Draft audits by the National Court of Auditors and the Justice Ministry found serious problems. Auditors said the system was launched before proper testing, that the agency never received its source code, and that security and functionality checks were incomplete. Investigators estimated losses of more than 12 million lei ($2.7 million) because penalties were not enforced for delays and faulty testing.
Former registry director Valentina Burdescu, who was dismissed in 2024 after the audit but still works at the agency, is also under scrutiny. Her husband holds a senior post there, raising concerns about conflicts of interest. Auditors also said that financial benefits were improperly granted.
The main IT contract went to Vodafone Romania, which subcontracted software development to Total Soft SA, a company owned through firms in Cyprus and Turkey. Auditors said Total Soft was supposed to provide the source code but it is unclear whether the registry ever received it, meaning the agency may be unable to fix or review the system independently.
Public Record spoke with IT manager Vlad Herescu, who said a contractor may withhold source code to keep a client dependent for maintenance, conceal incomplete functionality, or mask poor-quality programming that could pose security risks.
Vodafone Romania said it had “fulfilled all contractual obligations” and that implementation was coordinated by the registry’s management, but did not address questions about the code or alleged vulnerabilities, while Total Soft referred inquiries back to Vodafone.
The failed IT system also triggered a data breach affecting over 3,000 individuals. The Ministry of Justice reported that the platform was unstable and insufficiently tested at the time of launch. ONRC acknowledged initial disruptions but attributed them to an unusually high number of requests.
Auditors concluded that the project was signed off nine months before it was launched, creating legal, financial, and operational risks.The case remains under investigation, and Public Record reported that the Court of Accounts’ audit is ongoing. ONRC did not respond to the Public Record’s requests for comment.
