PromTransBank

History

2023

How the contractor's mistake led to the leakage of personal users of Promtransbank, and the bank did not notice

As TAdviser discovered in August 2024, in the litigation between Promtransbank and its former contractor, Express Lab, the reasons and details of the leakage of personal data of users from the bank's website are given.

The leak itself took place in 2023. Then one of the hacker groups drew attention to the fact that Promtransbank saves the data received from the unified identification and authentication system (ESIA) to the "esia.log" file, which is in the public domain. Records in it began on November 3, 2022 and as of January 2023 were updated in real time. We are talking about the data of those who applied for a loan. The bank recommends using "Public services" for this, arguing that this increases the chance of loan approval, and also gives a discount on the interest rate.

Freepik

From the decision of the Eighteenth Arbitration Court of Appeal, published in the Electronic Justice system in July 2024, it follows that in connection with the leakage of personal data FSB , Promtransbank conducted a "survey of the premises," Ministry of Digital Development and then demanded a detailed report from the bank on the causes of the leak and the measures taken to counter the incident.

Promtransbank blamed the leak on Express Lab, which provided him with services to develop a single form of loan application to fill it out on the bank's website. Moreover, the work was accepted and paid without complaints. And Express Lab, in turn, pointed to its employee, who created and posted a magazine file. The company believes that there is no responsibility for this on it itself, as in a legal entity.

In his letter to the Ministry of Digital Development, Promtransbank pointed out the following reasons that led to the leakage of data, according to a published court ruling:

• work on the creation of the site and further refinement of the online loan application functionality on the site was carried out under an agreement with Express Lab;
• the service was tested by the bank and, according to the revealed comments, Express Lab carried out work on correcting the functionality;
• the specified journal file was created by Express Lab to debug the online loan application functionality, which was not known to the bank before the fact of personal data leakage was revealed;
• the creation of the log file was not specified in the terms of reference and its creation was not coordinated with the bank;
• upon completion of the correction of the online loan application functionality, the Express Lab employee did not delete his test procedures for creating and maintaining a log file and did not inform the bank about this fact.

Thus, in the process of providing services, an employee of Express Lab published a log file that stores information about users' personal data in clear text on the Internet without using any protection systems. As a result of unprotected access to the log file established by the Express Lab employee, there was a leak of personal data of applicants who sent an application for a loan online to Promtransbank.

When signing the acts of acceptance of work, Promtransbank was not aware that an employee of his contractor had published a journal file storing information about personal users, the court document says.

As a result, an employee of Express Lab, who made a mistake, was brought to administrative responsibility under Part 6 of Art. 13.12 of the Administrative Code (violation of information protection rules), and Promtransbank - to administrative responsibility under Art. 13.11 of the Administrative Code ( violation of the legislation of the Russian Federation in the field of personal data) in the form of an administrative fine in the amount of 60 thousand rubles. The bank then recovered this modest amount as damage through the court from Express Lab.

At the same time, the arguments of Express Lab that it was not responsible for the leakage of data were rejected by the court. Establishing the employee's guilt is not the basis for exempting the company from liability as a personal data operator, the court believes.

Leakage of personal data of users

In January 2023, hackers of one of the groups drew attention to the fact that Promtransbank saves the data received from the Unified Identification and Authentication System into a file that is in the public domain. A text file with the speaking name esia.log is located at the root of the bank's website. Records in it begin on November 3, 2022 and are updated in real time^[1].

PTB Bank will pay off 248 million debts of its "daughter"

In January 2023, the bankruptcy trustee of PTB-Leasing JSC, Yury Nabiullin, announced that Bashkir Promtransbank (PTB), which owns this company, intends to pay off all its debts in order to withdraw it from bankruptcy^[2]

2007: Securities Market Participant

In 2007, PTB expanded its scope, becoming a professional participant in the securities market.

2004: Retail Block Development

Since 2004, PTB has been actively developing the retail block. The Bank began purposeful work on issuing loans to the population, as well as attracting deposits of individuals. In addition, in 2004, PTB was one of the first among the banks of the republic to become a member of the voluntary deposit insurance system.

1998-2001: Name change, service expansion

In 1998, the organizational and legal form and name of the bank were changed. It became known as Cambrius Commercial Bank LLC (Cambrius Design Bureau LLC). Among the original founders of the Bank were large Bashkir enterprises: JSC Cambriy, ANK Bashneft, RNPK LUKOIL-Bashkortostan, JSC Bashneftegeofizika, AOZT Bashselstroy.

In 2001, a new stage of development began, which was associated with the arrival of new owners, which gave the bank an additional impetus to move towards building a modern banking structure focused on a wide range of banking services not only for legal entities, but also for individuals. Then the Bank received its modern name - "PromTransBank" (Bank "PTB"). In the same year, the Bank was issued an extended license of the Central Bank of the Russian Federation No. 2638 dated 22.03.2001 for banking operations.

1993: Getting Started

PTB Bank is one of the founders of banking in Bashkortostan. The bank began its work at the end of 1993 with only a few employees in a small room on the fifth floor of the building at 70 Lenin Street in the city of Ufa. Then it was called LLP KB "Cambrius" and specialized in servicing enterprises of the national economy. According to PTB, it is the only bank in Ufa that has not changed its location in history.

Notes