Tutu.ru Туту.ру New Tourism Technologies NTT

Travel Agency for Online Booking tutu.ru (LLC "New Tourist Technologies") is a Russian travel service operating in Runet.

The main services of the Туту.ру: selling tickets for airplanes, long-distance trains and intercity buses, issuing tourist vouchers, booking hotels, as well as informing about the schedule of suburban trains.

History

2024: Change in ownership structure

The Russian travel service has Tutu.ru changed its ownership structure in 2024. According to the explanations to the financial statements of the head legal entity of JSC "Digits," the sole shareholder of the company was the combined closed unit investment fund (ZPIF) "MK Investment Decisions 2," which is in the trust management of JSC "Management Company" My Capital. " This became known at the end of April 2025.

According to RBC, until the end of 2023, the ultimate beneficiaries of Digits JSC were the founders of the service Dmitry Khrapov and Yuri Titov. However, the company declined to comment on whether the ultimate beneficiaries of the business have changed and who acts as shareholders of the fund. The representative of the Tutu.ru only said that Dmitry Khrapov and Yuri Titov "are present in the Tutu.ru," and their expertise and experience will be used in the placement process.

𝓲

Фото: Freepik

According to four sources of publication in the media market, banking structures and the travel industry, the actual owners of the Tutu.ru have really changed, and the deal to sell the business took place at the end of 2024. Two interlocutors claim that one of the major Russian banks acted as the buyer, and two more insist that the deal was closed in the interests of persons associated with Alfa Bank.

It is noteworthy that the management company "My Capital," under the management of which is ZPIF, which has become the only shareholder of the main legal entity of the travel service, until 2022 was called "Alfa-Capital Alternative Investments." In addition, in April 2025, two trademarks with the word "Alpha" were registered at New Tourism Technologies LLC, owned by Digits: prodalfa.ru and stagealfa.ru.

The press service of Alfa-Bank denied the direct purchase of Tutu.ru, although they noted the active development of initiatives in the travel direction. The bank also said that now My Capital Management Company has nothing to do with the bank or its structures, without specifying when the ownership change took place. The actual structure of the shareholders of My Capital Management Company in the Unified State Register of Legal Entities is hidden, but the company is registered at the same address as Alfa Capital Management Company.

In parallel with the change of ownership structure, the Tutu.ru service began to rebuild the strategy for the subsequent IPO. The details and timing of a possible placement in the company are not disclosed.^[1]

2023: Fine of 60 thousand rubles for leakage of user data

In early March 2023, the Tagansky district of Moscow fined the Туту.ру service 60 thousand rubles for leaking user data. The company was found guilty of an administrative offense, which is provided for in Part 1 of Article 13.11 of the Administrative Code (violation of the legislation of the Russian Federation in the field of personal data).

We confirm that we have been assigned a minimum fine of 60 thousand rubles, we do not plan to challenge it, "the Туту.ру press service told TASS.

Service "TuTu" fined for leakage of user data

The fine was issued for a data breach that occurred in July 2022. Then part of the user data "Туту.ру" got on the Internet. The file contained information about bus ticket buyers - these are first and last names, phone numbers and email addresses. The service specified that the database included less than 1% of the data from the total number of orders.

The press service of "Туту.ру" in early March 2023 stressed that the company conducted an investigation and promptly eliminated the causes of the data leak. The "Туту.ру" also assured that the service is continuously working to improve security mechanisms in order to comply with global data security standards.

Andrey Timoshenko, head of information security practice at AksTim LLC (formerly Accenture), says that quite sensitive data has leaked from Туту.ру.

If we proceed from the fact that contacts (last name, first name, phone number, email), dates of birth and passport data have leaked, then this is sensitive information that allows you to accurately identify their owner. It will undoubtedly be used in itself for fraudulent purposes, as well as for various types of attacks aimed at obtaining material benefits by attackers. In addition, passwords are probably at the disposal of cybercriminals, and this is also important, since people often use the same password for different services, he said.[2]

2022: Data of millions of users of the service "Туту.ру" got into the public domain

In early July 2022, it became known that the data of millions of users of the Туту.ру service were made publicly available. The company confirmed the leak and assured that it did not affect customers' payment data.

According to the Telegram channel "Information Leaks," part of the ticket purchase service database (air, railway, bus, etc.) has been published on the Internet tutu.ru. The file contains data from bus ticket buyers - more than 2.6 million lines in total, including:

• names and surnames;
• telephones (2.29 million unique numbers);
• email addresses (over 2 million unique addresses).

Data of millions of users of the service "Туту.ру" got into the public domain

The hacker claims that in addition to this list, he also managed to get dumps of tables of registered users (7 million lines with hashed passwords) and ticket orders (32 million lines with passport data). However, he did not provide any confirmation of the presence of these data, the Telegram channel notes.

According to the press service of "Туту.ру," the hackers had access to a table containing the technical data of the "buses" section of the service. By early July 2022, the company is conducting an internal investigation and is working on several versions of what happened.

The file in question does not contain payment data, arrival-departure points, order dates. But there is a surname and first name (not all passengers), a phone and mail to send a check. By the beginning of July 2023, the reliability of the data is being checked, according to Туту.ру.

Today's attack is far from the first, in recent months, information security specialists "Туту.ру" have recorded dozens of unsuccessful attempts to disrupt the stability of the service. Starting February 24, 2022, Туту.ру, like many large Russian Internet services, was chosen as the object of constant directed and distributed attacks, the company added.[3]

2021: An open letter from Russian online services against Yandex's anti-competitive behavior

On March 18, 2021 TAdviser , information came to the disposal that the Russian Internet the companies signed an open letter in which they expressed concern about the abuse of the dominant position in the search market by "" and Yandex supported the decision that FAS obliged the IT giant to eliminate privileges to promote its own services in this market. More. here

Notes