Either Russia has experienced yet another huge leak of confidential information, or someone has devised an elaborate money-making “data sham”. Despite the uncertainty, the news has done nothing for the image of the country’s financial sector. Experts at InfoWatch believe that a high-ranking insider could well have been involved in the theft of the valuable database.
On August 15 Russian credit bureaus and banks received e-mails offering a database of borrowers who had purchased goods on credit at retail chains, the Kommersant daily reports. The database reportedly has more than 700,000 entries. However, there are grounds to believe it is a fake. Law enforcers who attempted to buy the database have so far failed to do so.
Journalists got hold of an extract from the database dated April 7, 2006. Each entry contains the borrower’s name and address, the name of the retail chain where the purchase was made, the sum of the purchase, the size of the first payment, the total sum of the loan, the length of the credit contract, the annual payments, the amount of any non-payments and any penalties. Those selling the database have asked for 90,000 rubles (approximately $3,300) for a total of 700,000 entries. A similar amount of records would cost three times as much if purchased at an official credit reference bureau where a single record costs about $0.40.
The source of the leak remains a mystery. Theoretically, banks, credit reference bureaus, retail chains, collecting agencies or the Central Catalogue of Credit Histories at the Bank of Russia could be to blame. However, closer analysis dispels most of those theories. A high-placed source at the Bank of Russia denied the accusations against the CCCH, citing the fact that the bank doesn’t possess the names of borrowers. Besides, all the databases at the CCCH are encoded, making them very difficult to access. The Bank of Russia is, nevertheless, concerned about a possible data breach and intends to launch checks both internally and at banks and credit reference bureaus.
Another theory that can be dismissed suggests that the database was leaked from credit reference bureaus. However, it is unlikely that one agency would have such large volumes of information on borrowers. Moreover, those agencies focus primarily on blacklist borrowers and the database contains information on honest clients. Collecting information from even 10 of the largest retail chains that possess such data would also be extremely problematic.
Credit reference bureau officials refuted the accusations, stating that the level of technology at the leading bureaus was so high that leakage was impossible. Bureau employees only see encoded data and access is highly restricted, though, in some cases that information is outsourced. The Federal Financial Markets Service, nevertheless, spoke in support of the credit bureaus. One official said there were three reasons that credit reference bureaus could not have been the source of the leak. First of all, the format of credit histories is strictly regulated by Russian law, and it contains no information about retail chains. Secondly, the bureaus could not have accumulated 700,000 entries as of April 7, 2006, according to the official, because they had worked only for a month by that time. Experts, however, note that some credit bureaus started cooperating with banks before their companies were officially registered, and some bureaus could have created a database of this size.
According to market representatives, the database resembles retail back office banking programs. Therefore, suspicion falls firmly on the banks, and the number operating in cooperation with retail chains is limited. Of course, bankers are hoping that the database is a fake. If that is not the case, their reputation could be severely dented. The same goes for the credit bureaus that have only recently won the trust of consumers and whose work depends on the information in their possession remaining confidential.
“If the database is real, then obviously insiders are involved somewhere – bank workers who have access to the information as part of their job. By all appearances, it would have to be a fairly high-ranking insider because the database is very valuable and would be protected accordingly. However, in my opinion, it is highly likely that nobody has stolen the database and some crooks have simply decided to earn some cash by selling a fake. Unfortunately, the situation is very ambiguous,” says Denis Zenkin, marketing director at InfoWatch.
Source: Kommersant
