There have been several large leaks of private citizens’ data over the last few months in Russia. The Valuehost hosting company had its client database put on the open market, as did 10 large Russian commercial banks. And now, we have the case of Korbina Telekom. In each case, experts have not been able to say with certainty whether the newly “opened” database was genuine or not. However, the saddest thing – according to InfoWatch experts – is that it is impossible to call to account the thieves who stole and disseminated this information. The “personal data” law comes onto the statute at the end of January, but how long it will be after that before it starts to take effect is still not known.
The first in a series of similar incidents was news of the theft of 70,000 clients’ data from the St. Petersburg hosting provider, Valuehost. Fears that genuine data had been compromised were only confirmed at the beginning of December. Then, several hundred Valuehost sites simultaneously became infected with the same Trojan. Up till then, the leak had been regarded as a “dummy” – and a possible ploy on the part of the company’s competitors.
About the same time, in the middle of December, a database appeared for sale under the title “Anticredit”. Supposedly, the database held information on the clients of 10 Russian banks who had, for various reasons, either been refused credit, or been late in repaying loans. The information included internal passport details (such as address, marital status, date of birth, place of birth, and any previous addresses).
While various commentators and specialists argued over whether the data was genuine, InfoWatch analysts came out immediately with the correct assessment: Had the database been genuine, it would have cost several times more. Time and further study have proven the correctness of the InfoWatch analytical center’s view.
Nevertheless, some politicians and members of the public remain uneasy. To help dispel doubts, the State Duma Commission for Credit Organizations and Financial Markets made an official request to the Ministry of Internal Affairs. And last week, in a reply, the MIA again stated that the data on the database in question did not reflect the data in fact held by the banking sector.
And last week, news agencies reported one more “discreet” leak. The database of users of the mobile phone company Korbina Telekom, appeared on the Internet and contains the surnames, telephone numbers and guarantee fees of nearly 40,000 clients, including those of several of the company’s top managers. The company’s comments since then may, to some degree, allay customers’ fears. They say that, under the guise of a new database, what has been released is – in all probability – four-year-old information. Four years ago, an insider programmer made private customer information accessible to the general public. But that data – over the intervening period – has almost completely lost its relevance since many clients have changed their number, if not their operator. Also, the policy of payment of guarantee fees was dropped in 2003 – so the existence of such data indicates that the database is out of date.
Denis Zenkin, InfoWatch’s Marketing Director said, “We should note that no matter how up-to-date the data is, in no single case is it possible to punish those responsible for a leak. The “personal data law” which will allow us to call those people and companies to account who publish private data, comes into effect only on January 30th. And even then, a special commission will have to look at such cases – and it has not yet been created. In short: Private citizens are, for the time being, without protection.”