As reported by the Russian news service with reference to one of the Fund’s clients, the Fund’s web-site (ПФР) published a file with personal information of the clients. Full names, personal tax reference numbers, insurance and savings-account values of some of its clients can be searched through «Яндекса». On November 10, access to the Pension Fund’s web-site was closed, however, a file with more than a 1000 records was cached by Yandex.
Margarita Nagoga, a spokeswoman for the Russian Pension Fund, told the Vedomosti newspaper that free access to this data became possible as a result of a technical error. She said it was the data on individual entrepreneurs with insurance contributions debts that became public. She also emphasized that the leak was local — the data of about 600 debtors in several areas of the Tver Region appeared on the Internet. According to Nagoga, the information was removed within an hour after the leak, but it remained online in cached form on Yandex, where access to it will be closed by 18.00 pm. She also emphasized that the file data did not fall into any personal information category. The file with the Russian Pension Fund’s data has been indexed not only by Yandex. — links to its information are also present at Mail.ru and Bing.
"The Pension Fund's web-site did publish a file with user data that has been indexed by all major search engines", — says Yandex spokesman Ochir Manjikov. "The page was not protected by the robots.txt file", — he continues. “Site admins have removed the file from the site, and it will soon disappear automatically from the Yandex search engine", — says Manjikov.
Comments by Nikolay Fedotov, InfoWatch chief analyst: «"Data protection in big companies is often ensured as prescribed, rather than as it should be". There is no doubt that the Pension Fund complies with all legal requirements concerning personal information. However, the situation shows that this is not enough. I am also certain that the affected party will not file any lawsuits, since the damage is difficult to prove in such situations — recent examples of database leaks and sms-leaks from mobile service providers are most illustrative. In order to avoid such situations in future, the companies should not only formally "comply" with the regulations to "satisfy" the authorities, but should actually protect their data».