Translated by
2019/06/25 21:29:32

Information leaks in Russia

Main article: Date leaks

Content

2019

External drives and photos of the screen remain the main channels of leaks

According to the data of DeviceLock company received according to the results of a research of channels insayderskikhutechek information in the Russian companies, more than 70% of leaks happened in the B2C-companies. At the same time more than a half of them — in the companies having the big customer base (retail banks, IFI, telecom operators). Other 20% happened in the B2B-companies and about another 10% — in government institutions, reported in DeviceLock on June 21, 2019.

Among channels of leak by the absolute leader there were unloadings from corporate information systems (more than 80%) allowing to save data in text or tabular (.xls,.csv) representation on external drives. They are followed by the pictures of the screen taken by mobile phones, most often used within services in "probiv" of particular persons (about 10%). And it is rather new (for June, 2019) a format of leaks which was practically not used in 2018 and did not draw attention of researchers, researchers of DeviceLock noted.

Commenting on results of a research, the founder and the technical director of DeviceLock Ashot Oganesyan noted that despite development of means of fight against date leaks, prior to a clear victory over this problem still far.

«
Digitalization of business increases the volume of viktimny data and, at the same time, facilitates access to them. The economic situation promotes formation of the black market of the commercial information as in the form of the stolen bases, and services of "probiv". Many banks and telecom operators having the maximum quantity of "new oil" are extremely vulnerable and powerless before date leaks as in many cases systems used by them allow to observe and investigate only already happened incidents, but not to block an illegal information access and to prevent leaks of sensitive data — he explained.
»

Within the research which covered the period from January to May, 2019 more than 800 documents which are laid out on different resources of the Darknet (DarkNet) and also provided by sellers of services in "probiv" as samples of the data offered by them were analyzed.

These 900 thousand clients of the Russian banks appeared in open access

On June 9, 2019 it became known of date leak of 900 thousand clients of the Russian banks. In open access there were passport data, phone numbers, the places of residence and works of citizens of the Russian Federation.

According to Kommersant with reference to service DeviceLock, clients of Alfa-Bank, OTP-bank and Home Credit and Finance Bank and also about 500 police officers and 40 people from FSB suffered.

The given about 900 thousand Russians who are clients of banks of OTP-bank, Alfa-Bank and Home Credit and Finance Bank appeared in open access
The given about 900 thousand Russians who are clients of banks of OTP-bank, Alfa-Bank and Home Credit and Finance Bank appeared in open access

Experts detected two databases of clients of Alfa-Bank: one contains data about more than 55 thousand clients of 2014-2015, in the second  — 504 records of 2018-2019. In the second base there are also data on an account balance limited with a range of 130-160 thousand rubles. The newspaper studied the first database and established that clients from it generally are residents of the Northwestern Federal District, and their phones mostly acting.

According to DeviceLock, customer information of Alfa-Bank could appear in network because of mass layoff of regional IT department in 2014. Data long time extended in the black market.

As specialists note, people whose data appeared in open access, can undergo spam or face fraud.

Most likely, the person who purposefully brought together these bases was or the insider, or found those who can steal them, the CEO of Zecurion Alexey Rayevsky believes.

«
Judging from the fact that bases are outdated, most likely, they were used in a narrow circle and when stopped being necessary, became property of the public. Now the people appearing in these bases can become the victims of a wide range of bank swindlers — the expert considers.
»

Alfa-Bank and the Home Credit and Finance Bank reported to Kommersant that will study information on leak. OTP-bank did not record loss of data.[1]

Data of individuals clients of B&N Bank appeared in open access

After consolidation with Opening belonging to the Central Bank of the Russian Federation, personal data of clients of B&N Bank appeared in open access. On April 15, 2019 reported about it in DeviceLock company. Read more here.

These 120 thousand bank clients refuseniks flowed away in the Internet

On April 12, 2019 it became known that the database of refuseniks of banks appeared on the Internet at specialized forums. It is about information about about 120 thousand clients (such digit is stated in the description of base), to which financial institutions under the law on counteraction to laundering of income gained in the criminal way and financing of terrorism refused service (115-FZ).

The most part of base is made by natural persons and the individual entrepreneurs (IE), a part — legal entities. About individuals the base contains information on their full name, date of birth, a series and the passport number. About SP — the Full Name and a TIN, about the companies — the name, a TIN, PSRN. In one of banks unofficial confirmed that in the list real clients refuseniks. The polled information security experts could not remember other case when date leak about clients of banks was related to the Central Bank.

Records are dated the period from June 26, 2017 to December 6, 2017. From the first date the Bank of Russia began to send the black list of clients according to provision 550-P. the Mechanism of mailing looks approximately so: banks identify clients to whom they refuse service because of suspicions of violation 115-FZ, send information on these clients to the Central Bank, and that, in turn — to Rosfinmonitoring. The last processes the data obtained from banks, the Central Bank in the aggregated type — to banks tells them back to the Central Bank, and. Thus, all banks receive the updated list of suspicious clients created by efforts of all sector. The flowed-away base began to extend several months ago, but did not know about leak neither in the Central Bank, nor in Rosfinmonitoring.

Rosfinmonitoring said that exclude a possibility of information leak from them. The press service of the Bank of Russia said that the regulator brings information on refuseniks to market participants in encrypted form via secure channels of connection with use of the certified means of a kriptograficheskoyzashchita of information.

«
Responsibility for safety of information and the non-transfer to her third parties are born by financial institution which received it — consider in the Central Bank.
»

The Central Bank did not specify whether is going the regulator to take actions excluding similar leaks in the future.

Leak could happen a set of methods, experts specify.

«
From the Central Bank, Rosfinmonitoring, any bank. Only the Central Bank had to have a base, and banks — to send to it inquiries for check of clients. In such option, at least, it would be simpler to localize leak, to understand where it happened. Now it cannot probably be made.

»

Thus, according to the expert, the mistake in terms of information security was made at a system design.

Leak is dangerous to clients not only because of disclosure of data, but the fact of presence at base. Clients can accidentally be included in the black list of banks, lawyers note.

«
Often banks blacklist fair clients on negligence or in connection with a technical error. Dissemination of these data for persons from the list in addition to difficulties with bank service can turn back problems with security services at employment, failures of partners from signing of the contracts and other risks.
Amin Appayev, lawyer of FMG Group
»

«
Similar leaks can lead to the most unexpected negative effects up to exposure of state secrets. As an example, a case with "Petrov and Boshirov" whose real names were compromised using the flowed-away bases, including traffic police.
Alexey Rayevsky, CEO of developer of information security systems Zecurion
»

«
Dissemination of similar databases first of all encroaches on personal privacy. The criminal code prescribes for it punishment up to five years of imprisonment in case of use of official position and dissemination of data on the Internet. Such actions can be also qualified as illegal access to computer information (imprisonment up to seven years).
Alexey Gavrishev, partner of BMS Law Firm
»

Considers Amin Appayev that crime also falls under article about illegal receiving and disclosure of the data which are a bank secrecy (up to five years of imprisonment and if act entails heavy effects — up to seven years). According to her, it has public character therefore law enforcement agencies should begin check without fail. Dissemination of similar databases belongs to competence of the Investigative Committee of Russia[2].

In Runet about one thousand open databases are revealed

On April 11, 2019 it became known that the DeviceLock company is the Russian producer of the systems of fight against date leaks, conducted a security level research oblachnykhbaz the data located in the Russian segment of the Internet.

In the course of the research by analysts of the company it was revealed and inspected more than 1900 servers, using platforms MongoDB, Elasticsearch and Yandex ClickHouse which more than a half (52%) gave a non-authorized access opportunity, and 10% at the same time supported personal data Russians or the commercial information of the companies. Another 4% already were cracked hackers before and already had requirements about the redemption.

Among the detected identified databases, in particular, appeared: the base of clients of the financial broker Finservice (finservice.pro) with a capacity of 157 GB containing names, the addresses, contact and passport data, credit stories and information on the issued loans; the base of service of autocall-down Call with a capacity of 21 GB (zvonok.com) containing phone numbers and records of calls; the data of the Moscow stations of emergency medical service with a capacity more than 17 GB containing all information on calls of ambulance crews, including names, the addresses and phones of patients, base of the Russian telemedicine service Doc + with the capacity more than 3 GB, containing data of employees and some users (including diagnoses), databases of an information system "the Network City. Education", the containing personal data of pupils and teachers of schools of Yekaterinburg, Ingushetia, Sverdlovsk region and Yakutia and also a large number of customer bases of different e-commerce of projects.

According to the founder and the technical director of DeviceLock Ashot Oganesyan, the configuration errors caused by extremely low qualification of their users and absence in the companies of procedures of an information security audit are the key reason of so scandalous situation with a non-authorized access to cloud databases.

Still the big problem, according to him, is represented by identification of the owner of the "open" database which is not always possible on its contents.

«
We detect the open base containing personal data and we do not understand to whom to announce that access to it needs to be closed. Hosters do not issue data of owners and in principle often consider that the user errors of a configuration not their problem.
Ashot Oganesyan
»

Besides, owners of such bases extremely slowly react to notifications.

«
Unfortunately, when we contact owners and we announce them need to close data access, the vast majority of them react too slowly or does not react at all. And not isolated cases when the open databases detected by us were and downloaded by hackers after our notification are known to me.
Ashot Oganesyan
»


The company is going to address to Roskomnadzor within whose scope of responsibility control of observance 152-FZ falls ("About personal data"), with the offer to develop the procedure of blocking of the open bases containing personal data.

«
It is optional to block at once access, but it is possible to create the procedure within which Roskomnadzor obtains information on existence of such base and directs the instruction hosting-to provider. The hoster notifies the owner of base and that at the scheduled time or eliminates violation, or access to base is blocked.
Ashot Oganesyan
»

2018

24% of leaks of confidential information from the state and business companies are integrated to fraudulent activity

On June 25, 2019 the InfoWatch company reported that in Russia about 24% of leaks of confidential information from the state and business companies are integrated to fraudulent activity. Fraud level on the basis of the data stolen from the Russian companies is almost three times higher, than in the world. About 80% of similar incidents in Russia are connected with actions of heads and employees. In half of incidents it is swindled on the basis of data from paper sources. Most often cases of a fraud are noted in the banking sector and the companies of the sphere of communication.

Distribution of leaks by types of incidents in Russia and the world

In addition to "classical" leaks, in total the incidents which are traditionally studied by analysts of InfoWatch, the leaks "burdened" by fraudulent activity are extensive layer. It is first of all a bank fraud, direct sale of data to interested persons by request, receiving different services on the basis of user data of other person.

According to analytical center InfoWatch, in 2018 the share of the leaks of confidential information integrated to fraudulent activity concerning data, in all set of the registered leaks made 8.5%. In the Russian distribution the share of fraudulent incidents was almost three times higher — 23.7%.

So high share of fraudulent activity in Russian "pie" of incidents can be explained with set of several factors. First, Russia is more and more deeply built in global digital processes, the value of each record of the user information becomes quite tangible in present period. Secondly, implementation of information security tools in general so far lags behind rates of digitalization. Thirdly, in society accurate moral imperatives in relation to someone else's data are not created yet. Managers of mobile operators, bank clerks, police and other employee categories through whom regularly there pass personal data quite often perceive a complex of this information as the ancestral lands, reserve the moral right to address with data of citizens at discretion.

Distribution of incidents with data on responsible in Russia and the world
«
When controls over information systems are loosened, before malefactors from among employees the wide field for fraud opens. And where valid, careful attitude to someone else's personal data is not developed, in the companies the consumer relation to data assets prospers. It is impossible to forget that personal data are a key to many modern services. Therefore fraudulent use of confidential information threatens public wellbeing of citizens and provokes a crisis of confidence in many companies and the state organizations,
comments Natalya Kasperskaya, results of a research the president of InfoWatch group
»

On a global scale the essential share is occupied by the fraudulent incidents provoked by actions of external malefactors. Respectively, in the world it is less, than in Russia, percent of the similar incidents which happened because of non-management employees.

In our opinion, the small share of fraudulent leaks under the influence of hackers in Russia in general is connected with rather low level of development of digital storages from where it is possible to get valuable information in the structured type. At the same time digital assets of a number of the large companies and authorities probably in general are reliably protected from the external attacks.

Distribution of incidents with data on channels in Russia and the world
«
the Main attention at protection against the leaks connected with fraudulent activity, corporate Information Security Services should give to control of employees and top managers, i.e. that whose regular activity is connected with the appeal to electronic bases and paper archives. The internal malefactor is in this respect more dangerous, than the hacker as he has profound knowledge about what information where it is stored. Thus, it is easier for employees and leadership team to find focus of the attacks, extracting not big layers of data at random, and abducting specific information, including by request to receive fast benefit,

»

In 2018 in the world the greatest share of the leaks integrated to fraud occurred via the network channel. In Russia the incidents which happened as a result of a compromise of data from paper archives dominate, and the Network is in the second place with big lag.

Distribution of set of incidents by the industries in Russia and the world

The low percent of fraudulent incidents has a talk with use by the Russian malefactors of e-mail that this channel is historically quite reliably controlled in the domestic organizations. Knowing about the systems of protection, unfair employees do not decide to use E-mail for sending the stolen information and select other channels. In the world e-mail within the organizations is also infrequently used in the fraudulent purposes, but at the same time it became one of favourite channels for external malefactors at commission of phishing attacks.

In a global picture of leaks with a fraudulent shade equal percent of incidents — on 18.2% — occupies the state organizations and the financial sector. In Russia the sphere of finance dominates, every fourth incident is the share of it. On the second and third place here a public sector and the hi-tech companies.

Share of incidents on the industries in Russia and the world

As for percent of fraudulent incidents with data in different verticals, in world distribution the greatest share of fraud appeared in the banking sector. Follow the state and municipal organizations. In Russia in many industries the fraud share on the basis of confidential information is several times higher, than in world distribution. And in a hi-tech segment it is higher much. Malefactors most often use data in the fraudulent purposes in those organizations from where most quicker "convert" these data into money and where it is easier to bypass the systems of protection (or to use their absence).

«
to the Companies it is reasonable to adhere to complex approach in the course of fight against internal fraud on the basis of data. In addition to implementation of the systems of an antifraud, DLP and behavioural analytics (UBA), the systematic work with personnel including the trainings, seminars and other educational actions devoted to a subject of protection of personal information is required. Besides, be able to implement the companies special projects on informing users on threats of their personal information and methods of counteraction to fraud,

»

270 cases of leak of confidential information from business and non-profit companies

On May 28, 2019 reported to InfoWatch company results of an analytical research by which in Russia in 2018 270 cases of leak of confidential information from business and non-profit companies and also the state organizations are registered. It is 6% more, than in 2017. The share of leaks as a result of actions of external malefactors was reduced more than twice – to 9.5%. About 39% of incidents fell on the state and municipal organizations.

In universal distribution the share of the "Russian" leaks made 12%. The volume of the compromised personal data which fell on the Russian companies and the state organizations did not exceed 1% of the total volume of the data compromised worldwide.

If in 2017 the hacker attacks in Russia were resulted by 21.3% of the registered leaks, then at the end of 2018 this share was reduced to 9.5%. Rather small share of leaks because of the external malefactor should not mislead. Follows from statistical data that the internal violator remains the main problem for the Russian information security. But value increase of such data with inevitability will lead increase in the amounts of data processed by the companies to growth of number of the external attacks. It is not only and not just about the "advanced" hackers working by request, how many about mass cracking with the purpose to pull out from the organizations though something valuable — databases, the aggregated information on employees.

According to 2018 nearly 78% of the incidents which entailed a compromise of information of limited access are provoked by deliberate or reckless acts of personnel. Higher share of leaks because of the management of the companies — 8.8% in comparison with 3.2% in the world is also characteristic of Russia.

Except obvious interest in features of processes of formation of a picture of leaks in our country, preparation of a separate research of date leaks for Russia is connected with aspiration of authors once again to draw public attention to a problem of leakages of the basic (on number of the recorded incidents) for our country of information type — personal data.

Natalya Kasperskaya comments:

«
In many countries we observe a roll of technically simpler administrative regulation of data security through increase in penalties, toughening of requirements aside. Really, if personal data of citizens are an asset of the state, then the state also should provide their protection through tough regulation of processing (in a broad sense) of personal data both within the system of own bodies, and in the commercial sector. Against the background of the designated universal trend on toughening of the administrative responsibility for a compromise of data of personal character, the regulatory policy in Russia still looks quite soft. Victims of personal data leakages can expect compensation of the done harm based on judicial proceedings. But the amount of compensations seldom exceeds 10 thousand rubles, and the number of similar cases is calculated by units.
Natalya Kasperskaya, president of InfoWatch Group
»

Distribution of leaks by data types testifies to small (in comparison with a world picture) quantity of cases of a compromise of payment data at comparable to world shares of information leaks, being the state and trade secret. The reasons of such deviation are in the inherent Russian sphere of cybersecurity of heterogeneity of penetration of the systems of protection into the different industries. The organizations whose activity assumes processing of payment information, traditionally are considered as leaders in respect of use of solutions for information security support. These are first of all banks. Tell the same about the companies where processing of payment data is not among key transactions (i.e. about most the organizations which actively do business, store data of clients and partners) while it is impossible.

With regret it should be noted that the staff of the companies having legitimate access to personal data of users, clients often has no elementary knowledge of rules of safe handling of information of limited access, or intentionally ignore bans and security policies.

Sergey Hayruk explained:

«
Growth of number of the incidents connected with an intended compromise of personal data is explained by the fact that Russia is gradually built in a world paradigm of general "digitalization", one of necessary signs of which is existence of the environment for provision of services in electronic form. "Digitalization" allows "tear off" the real personality from an electronic profile. It is obvious that such opportunity generates demand for someone else's personal data "tied" to different electronic services — whether it be accounts in applications of car-sharing, personal accounts of the systems of the cadastral registration, even the registered SIM cards. In the simplest case the mechanism of use of someone else's data is built so that the service is received by the malefactor who stole data, and "owner" of data, the person pays for it, "from a name" which the violator acts.
Sergey Hayruk, analyst of InfoWatch Group
»

Personal data, thus, find the increasing value for different swindlers. The persons having access to such data are exposed to temptation to copy them from a system and to sell to the first who will offer for an intangible asset a material benefit — cash.

During the research that thesis once again found confirmation that higher share of the so-called "qualified" date leaks is characteristic of Russia. So such cases when the malefactor consciously uses information stolen by him for achievement of personal benefit (fraud with data, a bank fraud), or gets an information access, obviously not necessary to it for accomplishment of labor function (exceeding of access rights).

Analysts of InfoWatch Group connect a large number of the "qualified" leaks in Russia with rather low level of culture of information security. The staff of the organizations who is daily dealing with sensitive information periodically "forgets" that the result of their work is the office work and, by the general rule, belongs to the employer. From here numerous cases of sale of the databases containing the information about clients and partners of the organization employer, attempt "find the interest in others pocket", having received not only the salary, but also "bonus" from the employer.

The dominating channels of leak of confidential information from the organizations in Russia are paper carriers and Network. About 45% and about 43% of incidents were the share of them, respectively.

Still scenarios of leaks through "paper documentation" are the most typical for our country. The organizations hang out on houses of entrances lists of debtors with the complete list of personal data. Even it is not necessary to speak about the banks and insurance companies, authorities dumping passport copies of clients the next to offices — these stories became too common.

The number of deliberate leaks on such channels as "removable mediums", "loss and theft of the equipment" in 2018 was calculated by units. Malefactors, knowing that their actions are controlled, just do not use the specified channels.

Leaks from a public sector and local authorities in principle take more noticeable place in Russia, than in general on the world — 39% of all cases of a compromise of information recorded in 2018 are the share of a share of the state and municipal bodies in total.

Further on the importance there are leaks from the organizations of the sphere of trade and entertainments (14%), a financial segment (12%). The small share of "medical" leaks — 8.5% against the background of 19% of a share in world distribution — is explained by rather low level of "digitalization" of the Russian medicine, features of development of the Russian health insurance. Paradoxically, but the backwardness of the Russian medicine in respect of digitalization acts as guarantee of relative security of personal data in medical institutions.

The greatest percent of deliberate leaks in Russia is the share of such industries as banks and finance (70%), high technologies (65.2%), the industry and transport (60%). Thus, data assets these three verticals look the most attractive to malefactors.

Sergey Hayruk summarizes:

«
Taking into account the revealed and designated features of the Russian picture of leaks, the known factors creating this picture, the most acceptable approach it is necessary to recognize creation and use of such systems of protection which allow to control specific information types of limited access (databases, finance documents, information which is a trade secret), to carry out "deep" monitoring of "problem" channels of communication (outgoing Internet traffic, paper documents, data transmission on removable devices). Besides, it is necessary to focus attention on comprehensive application of the analysis of behavior of employees in a tough binding to their role in the company, to the volume of access rights to information. Ideally such protection is complemented with the solution for counteraction to the external attacks.
Sergey Hayruk, analyst of InfoWatch Group
»

30% of the Russian companies increased the budget by security

On February 19, 2019 the SearchInform company published results of the conducted research of information security of business for 2018. It concerns threats which proceed not from external malefactors, and from within the company – from employees. 1024 representatives of the Russian business participated in a research. About 718 more people joined poll in other countries of presence of SearchInform (the Middle East, Latin America, the Republic of South Africa, the CIS).

Date leaks

66% of the companies faced leaks because of insiders in 2018. Most often the commercial information vanished: about clients and transactions, partners, accounting (in the amount of 51%), the technical information (24% of cases) flowed away less often.

Personal data also easily are exposed to leak (20% of cases), but the companies still extremely seldom announce in media the event. Only 3.5% of the organizations act this way. Nevertheless this indicator is higher, than the previous year. Then in media announced leaks to only 2% of the organizations.

But much more actively the companies began to announce an incident to victims. In a year the indicator grew almost by 16% – up to 28%.

«
"The share of the companies in the Russian Federation acknowledging responsibility for an incident steadily grows and will shortly be equal to a world indicator. It is quite interesting trend, sanctions in Russia and in the world cardinally differ. For example, in Russia the penalty for disclosure of personal data is measured by tens of thousands (rubles), and in the European Union – millions (euros). Thus, personal liability, consciousness of the domestic companies is the main reason, and not threat of a penalty at all".
»

The number of documents in the form of images – scans, photos, screenshots, PDF – considerably increased lately. 3 years ago such documents in the organizations there was no more than a third. According to the research of SearchInform, for 2018 in 54% of the companies a half of information is also more stored in graphic formats. A third of such documents flows away by e-mail, employees take out another 30% of documents on mobile devices.

«
"To be registered in services, to make out accounts or agreements, to make payments and to receive discounts, clients even more often present data and documents in the form of photos and scans in large banks, shops, to operators. For these organizations personal data protection and other confidential information of users from leaks becomes crucial to avoid financial and reputational risks".
»

Other incidents

Analysts asked not only about leaks, but also about other incidents. In 2018 15% of the companies noted growth of number of internal incidents, is 9% more, than the previous year. It matches that dynamics which is observed in other countries where survey was conducted.

As showed data of poll, 74% of incidents allow non-management employees. Most often managers of departments of supply (corruption capacity of a profession), accountants and financiers (access to critical data, money) become violators. Nearly a half of all incidents falls to the share of both professional industries.

High rates of violations at assistant administrators and IT specialists (16 and 15% respectively). On both the reason one – access to critical information and privileges of provision.

The budget on software

In this situation it is remarkable that 30% of the companies announced growth of the budget on security. At the same time another 12%, on the contrary, reduced costs. Mainly the Russian companies are still limited to installation of an anti-virus software and use of administrative tools of Windows and NGFW. It is expected low indicators of use of more difficult products: DLP- and SIEM systems.

As consider in SearchInform, such dynamics is explained by the requirement of regulators. Both in Russia, and in the world there began work sign cybersecurity laws. In Russia it is about FZ-187, in case of the abroad – the directives GDPR having exterritorial action.

What is controlled

As well as in 2017 the main channels of communication which are controlled by employers is e-mail (29%) and external carriers (20%). Causes smaller alarm of heads telephony (15%) and internet-messengers (11%). These digits save dynamics of last year.

Employers are disturbed most of all in employees by the disloyal relation to the company, sabotage, distribution of the negative information (21, 21 and 23% respectively). Another 16% of employers concern dangerous dependences of employees.

As noted in SearchInform, the interests of the companies are beyond monitoring of loyalty. It is important to cybersecurity specialists to understand personal problems of employees which can be dangerous to business and collective.

Damage and punishment

Most often incidents resulted in image and small financial damage (28% of answers). Approximately identical number of violations led to major financial damage and also compliance-risks – threat or the fact of punishment from the regulator.

Only 4% of the Russian companies disregard incidents, without applying sanctions against violators. 34% of employers dismiss violators, a half do a reprimand and fine (23 and 27%). Only 8% of the companies bring the matter to court.

«
"The companies prefer not to leave in public field with the conflicts. Units are solved on it and only in the most scandalous situations. Then as the proof often serve the data obtained from software packages, in particular DLP systems. Unfortunately, this fact often does not appear in case papers. Still in some cases to prove guilt of the employee it appears extremely difficult: and on an absence reason of complexes of fixing of violations, and because of absence in the company of regulations in this respect".
»

Every sixth date leak is registered at the enterprises of the Ural Federal District

On February 13, 2019 the InfoWatch Urals company reported that it summed up the results of a research of Analytical center InfoWatch in the field of security of corporate information in business companies and the state organizations of Ural federal district. In 2018 the organizations of the explored federal district allowed 30% more date leaks, than in 2017 — such dynamics of growth exceeds the all-Russian indicators five times. In regional distribution of incidents the share of Ural federal district grew from 13% in 2017 to 16% in 2018, i.e. every sixth date leak in Russia in 2018 happened in the organizations of the Ural Federal District.

Ratio of the registered date leaks, Ural federal district – other Russian regions

According to the company, nearly a half of the polled InfoWatch of respondents from among cybersecurity specialists and heads of the enterprises of the macroregion allow the probability that for the last three years in their companies there were leaks of confidential information. At the same time 39% of survey participants were recognized that information security systems at their enterprises not completely provide protection against modern cyberthreats, including, from date leaks.


In the organizations of the Ural Federal District, as well as in general across Russia, the share of personal data in an overall picture of leaks makes more than 80%. At the same time, in Ural federal district by one and a half times more often than in other regions, information relating to the most liquid data flows away: trade secret and production secrets. Twice less than on average in the country, in the region payment information flows away.

Distribution of leaks by data type, Ural federal district, 2018

By estimates of authors of a research, the big share of leaks of the data containing commercial secrets and a know-how is connected with quite high concentration in the Urals of large industrial enterprises. Having high potential production, the local enterprises are probably not fully ready to prevent leaks of commercial data, and first of all leaks because of internal malefactors, experts of InfoWatch noted.

In every fourth case of leak information which was lost from the organizations of Ural federal district was used in the fraudulent purposes or received within illegitimate access to enterprise information systems.

Distribution of date leaks as incidents, Russia – Ural federal district, 2018
«
Information of limited access to which the trade secret and a know-how, payment and personal data of clients belong at many enterprises of the region is, as a rule, insufficiently protected. As a result malefactors who will bark access rights to internal information systems are capable to take personal benefit from data with which the employer operates. For example, in Magnitogorsk the chief transferred control of the pension fund to the employee commercial bank personal data of citizens. This information then was illegally used in activity of credit institution. So-called "internal" leaks result from errors of the legitimate user or failures of automated information processing systems. In such cases the large volume of data, as a rule, flows away. As the staff of the organization has access to the most sensitive business information, as a result of their malicious actions more serious damage can be caused to the organization, than from hacker attacks.

Andrey Arsentyev, analyst of InfoWatch Group
»

As well as in general in Russia, in 90% of cases of date leaks in Ural federal district actions of the internal malefactor in the organization, or the insider became the cause of the incident.

Distribution of date leaks by a vector of influence, Ural federal district, 2018

Most of respondents believe that use of DLP systems (Data Leakage Prevention) with the module of predictive analytics (User and Entity Behavior Analytics, UEBA) is capable to reduce threats of intended date leaks from personnel. Such solutions are used by possibilities of artificial intelligence, the deep analysis of Big Data, and allow to identify employees who, for example, intend to leave the company, and, thus, to prevent the probable abuses connected with access to confidential information from their party.

Almost in 70% of cases unprivileged employees became responsible for date leaks from the organizations of the Ural Federal District. At the same time, in 2018 in the territory of Ural federal district considerably more often than the previous year, there were leaks based on actions of privileged users: top managers, middle managers and system administrators, if in 2017 7% of violations, then in 2018 more than 16% of incidents fell to their share.

Distribution of date leaks by responsible, Ural federal district, 2018

In most cases date leaks both in Russia, and in the Ural Federal District in particular, happen through two channels of communication: through network and loss of paper documents. At the same time, the share of the incidents connected with loss of corporate data on paper carriers for 20% exceeds a share in the all-Russian distribution, and the share of leaks on the Internet and cloud carriers, on the contrary, is 20% lower, than on average in the country.

Distribution of date leaks by channels, Ural federal district, 2018

Representatives of the Ural business and the local state organizations consider the most efficient means of increase in culture of the address with personal data carrying out among employees of regular educational actions for increase in level of cyberliteracy in the field of data protection for employees. At the same time only 35% of respondents answered that in their companies such events are held regularly, for example, at least once a year.

In 2018 the greatest number of date leaks in Ural federal district was recorded in medical institutions (21%), banking and financial institutions (16%), bodies of the state and municipal authority (on 12%). Most less often data flowed away from educational institutions (9%), the organizations of the sphere of trade (9%) and industrial enterprises (7%).

Distribution of date leaks by the industries, Ural federal district, 2018
«
For February, 2019 modern technologies get into different spheres of our life — from the service industry to medicine therefore special attention should be paid to information security of these processes. For effective protection of the corporate data and information systems the organizations need to build hybrid protection which will include, first, counteraction to the internal threats proceeding from actions of employees using implementation of the systems of protection against date leaks, and, secondly, reflection of the external attacks. The last can become the reason of operation of vulnerabilities because of a low-quality program code in the product implemented at the enterprise. Therefore if business needs to create any IT product, already at a development stage it is necessary to involve information security specialists, to develop safe development.

Nikolay Babichev, CEO of InfoWatch Urals
»

Large-scale date leak about the staff of Sberbank

In October, 2018 in Sberbank there was a large-scale information leak. The database containing original information of 421 thousand employees of the bank was laid out.

Data on surnames and names of personnel, divisions in which they work the e-mail addresses and also logins for access to working computers are stored in the merged base.

The base represents the simple text file with a capacity about 47 MB. Under blow employees not only Sberbank, but also its child organizations including foreign got. According to messages of those who already got acquainted with file contents in it there are three e-mail addresses of German Gref, the head of Sberbank.

According to the press service of Sberbank, one of present or former employees of bank as a result of its malicious actions could become a source of the flowed-away information. So far it is only the version, and for October 29, 2018 an actual reason of leak and its source officially is not disclosed. The management of Sberbank is already informed on current situation.

The base which is laid out in network with data on the staff of Sberbank is relevant for August 1, 2018. In other words, information which is contained in it did not manage to become outdated yet and even if a part of people whose names and the e-mail addresses are registered in it, work location or e-mail, then their explicit minority already replaced.

The reliability of data in the flowed-away base was already confirmed by some employees of the bank, whose addresses of mail and names were in this list. Confirmation also arrived from the representative of one of third parties connected with information security of bank.

For information security of Sberbank even so large information leak will not become a problem. The base does not contain sensitive information: the address of mail and the login for access to the computer can be replaced in a couple of minutes, and access to phones of employees and the addresses of their accommodation could not receive a source of leak.

But nevertheless so large information leak can strike blow to reputation of Sberbank. German Gref in the interviews quite often mentioned the maximum protection of any information which is stored in databases of Sberbank and there was a real occasion to doubt his words. Clients of bank, both present, and potential, can lose trust to it, if it could not protect data of employees, then there is no guarantee that there will be no leak of personal data of account holders and deposits[3].

2017: From the Pension fund these 17 thousand people flowed away

The Pension Fund of the Russian Federation created in the summer of 2017 the special commission on a question of check of leak of personal data more than 17 thousand human. Mikhail Zheleznyakov reported about it, the assistant department head on interaction from media of department of the Pension Fund of the Russian Federation across Moscow and the Moscow region[4].

About date leak the web developer Sergey Deryabin in the blog for IT specialists of Geektimes reported. On June 9, 2017 he received bulk mailing from department of the Pension fund (RPF). The attached document contained in the MS Excel format data of 17752 people, including dates of their birth, a registration address and number Insurance Number of Individual Ledger Account.

"The letter was received by 09.06. The file with the plate was created much earlier, and I suspect that in it were initially insured on all departments of the Pension fund. Apparently, on June 09 excess lines with insurers of other offices of Pension Fund were deleted from the file. Therefore I quite naturally suspect that data insured, at least across Moscow and the Moscow region, thus were sent on entrepreneurs" — Deryabin wrote.

The RPF announces observance of all requirements for personal data protection using modern means of cryptoprotection, but so far they cannot precisely confirm or disprove the fact of mailing of personal data in letters to the clients. The head of department of interaction with media of department of the Pension fund Marina Gustova announced conducting investigation of an incident.

2016

Growth of volume of date leaks in Russia for 89% up to 213 cases

In June, 2017 it became known that the volume of leaks of confidential information in Russia in 2016 increased by 100 times. Data were provided by the InfoWatch company specializing in corporate information security.

At the end of 2016 experts counted in Russia about 213 cases of information leaks as a result of which 128 million records of the confidential data including relating to bank cards and accounts were compromised. The number of leaks in comparison with 2015 increased by 89%, and amount of data lost because of these incidents increased more than 100-multiply.

Most of all leaks of confidential information happened in state bodies (21.6%), the IT companies (14.65%), educational institutions (13.6%) and banks (11.75%). Every tenth date leak in the Russian Federation fell on small business that specialists connected with insufficient funding, negligent treatment of information of limited access and insufficient control of personnel.

The main channels of leaks in 2016 became browsers and paper documentation — 64 and 26% of cases respectively. The share of leak of payment information in Russia (2.8%) is lower, than in the world in general (7.3%). At the same time 12.2%, and in the world — 5.4% are the share of data on a trade secret and know-how in Russia.

In Russia the high share (25.5%) of the "qualified" leaks when the thefts given later are traded on (in the world this indicator reaches 17.3%) is also recorded.

According to InfoWatch for 2016, about two thirds of leaks in Russia happen because of the staff of the company who has access to confidential data. In 2015 84% of leaks, in 2016 — already 65% fell to the share of staff of the organizations. On the world the similar indicator is equal to 52 and 34% respectively.

SearchInform: A half of the companies in the Russian Federation faced date leaks

The SearchInform company conducted a research and found out that from 2014 to 2016 the number of attempts of information leak by the staff of the Russian companies grew by 17.3%. For this purpose experts of analytical center analyzed data of 500 clients of SearchInform for the specified period.

Researchers defined that 31.4% are a deliberate theft of information (including preserving of information on the personal carrier "just in case" or in view of job change), 17.9% – accidental drainings of data or result of activity of social engineers. 50.7% are incidents which motives it is unambiguous it was not succeeded to set.

On February 1, 2017 the SearchInform company announced situation analysis results in the field of confidential information protection among the organizations of the Russian Federation in 2016.

During the research representatives of the companies from the different industries of the industry are polled.

The situation in the organizations of different scale is analyzed:

  • up to 100 employees - 27%
  • 100-500 employees - 36%
  • 500-1000 employees - 12%
  • 1000-1500 employees - 7%
  • more than 1500 employees - 17%

Leaks and attempts of theft of information

In 2016 49% of the Russian companies faced leakages of confidential data. Most often information flows away because of carelessness and carelessness of employees.

More than others the organizations of Izhevsk (85%) and Nizhny Novgorod (64%) suffered from "drainings". Moscow became the third in the number of leaks with an indicator of 58%. Least of all incidents happened in the companies of Simferopol (23%).

17% of the Russian organizations could stop attempt of theft of data.

Confidential information is of interest to many employee categories, but in 2016 entered into top three:

  • non-management employees,
  • heads
  • accountants.

These specialists became more often than others responsible for leaks.

Most often in the Russian companies flowed away:

  • 25% are Data on clients and transactions
  • 18% - the Trade secret
  • 18% - the Technical information
  • 15% are Personal data
  • 12% - Information on partners
  • 9% - Internal accounting.

In different regions the greatest insider activity is shown by different employee categories:

  • in Izhevsk – ordinary specialists (64%),
  • in Vladivostok – heads (23%),
  • in Irkutsk – accountants, economists and financiers (33%),
  • in Orenburg – system administrators (20%).

47% Russian the companies faced attempts of theft of data from former employees. Some, leaving the organization, steal information from offense and desire to revenge, others – that "cajole" the new employer.

Punish insiders differently, in 2016 – most often dismissal. This indicator practically does not differ from last year's.

Most often dismiss offenders in Moscow and Krasnoyarsk (34%), fine and deprive of awards – in Irkutsk (33%), issue the reprimand – in Simferopol (26%).

In 2016 the Russian companies began a thicket to announce incidents: 13% from them notified clients on the happened leaks and apologized. A year ago it was done by 11% of the organizations. Most the companies preferred to keep silent about information leak.

The companies from Omsk, Irkutsk, Vladivostok and Ufa (100%) were the most reserved. Most often apologized for incidents in Nizhny Novgorod (43%).

  • 40% of the companies estimate importance of confidential data protection on 10 of 10.
  • 16% – 5 of 10 points
  • 14% – 8 of 10 points
  • 12% – 7 of 10 points

Date leak of car owners from traffic police

On May 20, 2016 it became known of what on the Internet was earned by the free service autonum.info allowing to find a name and the phone number of the owner by number of the car. Authors of the project say that users send the data, however experts are sure that it is about date leak from traffic police base or some companies.

According to it is possible to obtain Vedomosti, data with autonum.info on the website and on demand to an answerphone in the Telegram messenger. As of 3 p.m. Fridays, May 20, the resource is not available and only the bot in Telegram works.

Large leak of personal data of the Russian car owners is recorded
Large leak of personal data of the Russian car owners is recorded

Selection check of Vedomosti showed that by number of the car on autonum.info in 70-80% of cases there is an original name of the car owner and relevant number of its mobile and stationary phones and also also brands of cars truly are defined.

Developers of service assure that the base is created by users and is intended, for example, to find the owner of the car preventing journey. However the car owners polled by the edition claim that they did not send the data anywhere.

Judging by a large number of messages of the people who found themselves on autonum.info on social networks and at specialized forums about any autocompletion of the database by users of the speech does not go, the Deputy CEO of Infowatchrustem Hayretdinov says. According to him, most likely, the service uses the database of traffic police or some other organization, he assumes.

The website uses compilation of databases of traffic police and insurance companies and also information of open sources, the private    detective Sergey Drykin considers. 

Roskomnadzor already knows about autonum.info. The question  of a compliance with law of personal data by supervising department began to be analyzed.

The website autonum.info is registered in April, 2016, at the same time its servers are in Holland. Owners of service are unknown. Only on May 18, 2016 on autonum.info 8199 license plates are added, note the edition.[5]

2015: 59 cases of date leak the 1st half-year

Russia according to the results of the first half of the year 2015 took the second place in the world on number of leaks of confidential information in the Internet, Kommersant with reference to the research InfoWatch wrote.

In six months 2015, said in a research, 59 cases of leak of confidential information from the Russian companies and the state organizations are registered.

Among the companies affected by leaks for the last half a year, MTS, VTB 24, the Russian Railway, SOGAZ and also Apple, Google, Lenovo, Microsoft and others are registered. 90% of leaks are connected with disclosure of personal data. For the studied period more than 262 million records of personal data, including payment information are compromised.

In 65% of cases the employee of the affected organization, as a rule, the manager of the lowest or average link was guilty of date leak, authors of a research specify. The share of the hacker attacks made 32 percent from a total quantity of incidents, however these attacks are the most effective, they emphasized.

In total in the world in the first half of the year 2015 723 cases of leak of confidential information were recorded that for 10 percent exceeds the number of leaks for the same period of 2014.

2014

InfoWatch: The number of leaks in Russia grew by 73%

The analytical center of InfoWatch company provided in February, 2015 results of a global research of leaks of confidential information for 2014. In comparison with 2013 the number of information leaks in the world grew by 22%, at the same time in Russia — for 73%.

In a quarter of cases information leak resulted from hacker activity (the targeted attack, a phishing, cracking of a web resource and so forth). In the majority of cases (73%) information flowed away because of the internal violator, as a rule, of the non-management employee, former or present. However if as a result of the internal attacks 350 million personal data were compromised (0.34 million on leak), then the compromise of 410 million records (1.16 million on leak) became a result of external influence. Thus, the hacker attacks, though happened less often than internal, caused to the companies bigger damage, specified in the company.

"Banks where information on accounts of individuals, details of plastic cards and other 'liquid' data is concentrated often suffered from the massive attacks in 2014. Hackers hunted for the same data types, abducting information from payment terminals of network retailers. Large Internet services, transport companies, government institutions underwent the attacks — Sergey Hayruk, the analyst of InfoWatch company told. — As the Russian picture of information leaks approaches American more and more, in the near future it is possible to expect the same large-scale attacks to domestic Internet services".

In 2014 the share of accidental leaks increased by 10 items and made about 50%. The share of deliberate leaks, respectively, decreased up to 44% of the total number of incidents. Redistribution of shares of leaks on intention happens because with distribution of information security tools (including DLP solutions) accidental leaks are fixed more and more, and fixing of malicious leaks requires use of more expensive means of counteraction, explained in InfoWatch.

Most of all information leaks are connected with personal data — in 92% of cases this information flowed away. More than 767 million personal data were compromised because of errors or intended actions of internal violators, owing to the external attacks.

Among trends of 2014 of analytics of InfoWatch select a large number of "mega-leaks" over 10 million flowed away records PDN. So, as a result of 14 "mega-leaks" more than 683 million records — 89% of all volume of the flowed-away personal data were compromised. At the same time more than 30 cases when the volume of the personal data compromised as a result of leak was over 1 million records are recorded.

Source: InfoWatch, 2015

Also big distribution was gained by the frauds known as identity fraud. Nearly three quarters of personal data leakages are connected with "identity fraud" — the stolen information was used in fraudulent schemes, criminals made out on others these credits and tax deductions.

The majority of leaks in 2014 were the share of three main channels: Internet (35%), paper documents (18%) and theft/loss of the equipment (16%). At the same time deliberate leaks most often happen on the Internet, and accidental — as a result of loss or theft of the equipment.

In 2014 the share of state companies from which information flowed away was cut almost by half, however at the same time the share of the commercial organizations, victims of such incidents grew. Most often leaks were fixed in medicine (25%), is the most rare in municipal authorities (2%). At the same time on the volume of the compromised records the palm is held by a bank vertical — 41%. If to select personal data, then they most often flow away from the hi-tech companies (including Internet services), state agencies, medical and trade institutions.

Most (52%) of leaks of the large companies belong to the category intended, and most (57%) of leaks of medium-sized companies — to category accidental. Nevertheless, the share of personal data leakages in SMB is significantly higher, than in a segment of the large companies — 71% against 24%. It demonstrates that the data protection issue in the small companies is still not resolved, believe in InfoWatch.

In a global research of leaks of confidential information of analytical center InfoWatch also positions of own staff of the company who allowed theft of confidential information are ranged. Responsible did not manage to be set only in 13% of cases.

Source: InfoWatch, 2015

File:Распределение утечек по каналам 2014 InfoWatch.png

Source: InfoWatch, 2015

In the annual research InfoWatch calls the USA the leader in leaks in 2014 (906 or 65% of the total number of incidents). Russia, according to InfoWatch, as well as at the end of 2013, takes the second place (167 leaks) On the third place Great Britain (85 leaks).

Source: InfoWatch, 2015

According to Valentin Krokhin, the marketing director Rostelecom-Solar (before Solar Security, Solar Security), those systems in which the bigger number of data or financial resources addresses "are most interesting" to hackers. Therefore most often the American and European companies are exposed to the attacks.

According to the annual report of EY, in Russia lack of information of workers in questions of information security – the main reason of vulnerabilities of corporate information systems. Least of all threats for corporations represent social networks.

As well as around the world, attacks to the Russian enterprises are carried out only for "earning" of money. Most of cybercriminals, according to Sergey Hayruk, the analyst of InfoWatch company, "pushed" ideological motives the background long ago: malefactors worked and will work with the purpose of extraction of material benefit. Of course, if the state pays more for the attack of the neighbor, hackers most likely will agree.

Zecurion: 37 public cases of information leak

According to Zecurion Analytics in Russia for 2014 37 public cases of information leak are registered. Among the loudest: the compromised base of millions of users of mail services "Yandex.Mail", Mail.ru, and Gmail, theft more than 70 million rubles from customer accounts of several Russian banks, use of data on clients and theft of 2 million rubles by employees of the bank May Day, leak of passwords to accounts of the prime minister.

2010: Date leak of clients forced Alfa-Bank to replace thousands of plastic cards

In 2010 in Russia among leaks it is possible to note a large personal data leakage from Alfa-Bank after which the bank made the decision on operational replacement more than 7 thousand bank plastic cards.

There were in the expiring year also positive events: so, FSB and the State Office of Public Prosecutor closed several websites giving to anyone access to extensive bases of personal data of Russians. Examples of legal claims, the citizens affected by leakages of their personal data shown in several Russian regions are also very indicative.

See Also

Notes