RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Ski Plus (Nordski)

Company

Russian sportswear manufacturer.

All products under the Nordski brand are developed and produced in Russia. The company considers its goal to create functional sportswear in Russia with characteristics at the level of world brands and with a price available to everyone. As of 2024, the company has 10 production sites, more than 360 wholesale partners and is present in 55 regions of the country.

2024: Personal Data Leak

As TAdviser discovered in September 2024, the Magistrate's Court of the Leninsky District of Penza found the Russian sportswear manufacturer Nordski (Ski Plus LLC) violated the law on personal data due to the leakage of personal data of users and customers from its website. The company explained the incident by the presence of a vulnerability in the 1C-Bitrix website management system, which it uses.

From the published court ruling it follows that Roskomnadzor initially discovered the leak . During the monitoring of the Internet, the department revealed the fact of distributing a database with a volume of 22 thousand lines containing personal data of users and clients of the nordski.ru site owned by Ski Plus: surnames, names, patronymics, phone numbers, email and addresses. The database was posted on a hacker forum, as well as in one of the Telegram channels.

In response to a request from Roskomnadzor, Ski Plus confirmed the leak of the personal data database. Moreover, the company sent a notification about this to the regulator almost two months after receiving a letter from him about the detected leak. In its notification, Ski Plus stated that the leak occurred as a result of a vulnerability in the 1C-Bitrix site management system.

File:Aquote1.png
The 2022 site database backup was located in the site's root folder with administrator rights, which in turn prohibit viewing and downloading the file. However, as a result of hacking the site, through the core of the 1C-Bitrix control system, the site structure and access rights to files and directories were violated, - the position of Ski Plus is given in the court order.
File:Aquote2.png

From
the website of sportswear manufacturer Nordski leaked data

The court confirmed in the actions of Ski Plus the composition of an administrative offense under Part 1 of Art. 13.11 of the Administrative Code of the Russian Federation (processing personal data in cases not provided for by the legislation of the Russian Federation in the field of personal data), expressed in the distribution of personal data of citizens to an unlimited circle of persons. The company's guilt in the commission of this offense is fully proven by the materials of the administrative case, examined and announced in the court session.

At the same time, the court took into account as a mitigating circumstance the fact that the company was brought to administrative responsibility for the first time, and the punishment for this was limited only to a warning.

By default, the Code of Administrative Offenses of the Russian Federation provides for this part of the article punishment for legal entities in the form of an administrative fine in the amount of 60 thousand to 100 thousand rubles, and for a repeated similar violation - from 100 thousand to 300 thousand rubles.

In 1C-Bitrix, having studied the case materials on the court's website, they shared with TAdviser their position on the possible cause of the leak. So, Roman Strelnikov, head of information security at 1C-Bitrix, notes that Ski Plus independently backed up and posted it to the root of the site.

File:Aquote1.png
It was a bad idea. Such files are easy to download to any visitor to the site, even without authorization. The built-in Bitrix backup system places backups in the cloud, he explains.
File:Aquote2.png

We can also say that the company has not installed Bitrix's recommended security updates for seven months. It can be assumed that such actions led to the leakage of personal data of site users. But since the client did not appeal in support, there is no way to say something additional now, added Roman Strelnikov.