Last week, authorities discovered how customers of the
Russian subsidiary of the famous Swiss insurance company Zurich had their
information stolen. The culprits managed to obtain customers’ addresses, places
of work and mobile phone numbers.
This is not the first major leak of personal
data in Russia, but the true scale of the disaster is unknown, as the company
does not have the right to report such incidents.
Experts say that large-scale data leakage has practically
never threatened Zurich clients. Yet there is always the possibility that buyers
of insurance companies’ customer databases will turn out to be criminal organizations;
it is much more likely, however, that secondhand dealers will be the competing
companies, says the general director of Zecurion, Alexei Raevskii.
In the case
of the latter, affected Zurich clients are likely to be confronted only with increasing
mailings for offers of services.
Read more: Russia signed agreement to clampdown on Internet piracy
The Zurich data leakage could be much more painful, though.
“Direct damage caused by this incident will likely be small for the
company. Currently, the maximum penalty for failure to comply with the law on
personal data is 500,000 rubles (around $15,150), and it applies only in cases
of repeated violations. Claims to the company for damages by the affected
citizens are also unlikely to lead to substantial losses,” says Raevskii.
“As for the indirect loss, they can be assessed in the tens
of millions of dollars in this case,” the general director says. If the
customer base of Zurich falls to the competitors, then, in the next six months,
more than half of the clients of this database may change their insurance
company, experts predict.
Another major leak of customer databases, which also became
known to the media, took place in August 2012: The names, email addresses and
mobile phone subscriber’s coupon services were leaked to the network.
Scammers
offered to sell Vedomosti journalists a database of 760,000 Muscovites
registered in online stores or coupon portals for $500. The press services of
the largest coupon providers — Biglion and Groupon — denied leaking their databases.
Out of all the commercial organizations, telecom operators
are most prone to leaks, notes Raevskii. In 2003, the customer base of MTS was
stolen, and intruders had not only the names and telephone numbers of
subscribers, but also their passport data. The operators claimed that the theft
likely occurred through centralized law enforcement.
As for government agencies, the databases for customs, tax
authorities, traffic police and other departments could be bought in every
underpass not so long ago.
“Now the situation has improved somewhat — but
mainly due to the fight with the sellers, not the insiders. And there is every
reason to believe that the situation with the protection of databases in these
organizations has not improved significantly,” says Raevskii.
The fight with the sellers of stolen data is not enough to
minimize the risk of leakage. It is essential that companies and agencies
themselves think about the protection of their data.
“The competent
director of information security, with organizational and technical measures,
may well reduce the risk of leakage to an acceptable level. However, this
requires the support of the leadership, which often does not consider information
security a priority task. Therefore, as long as priorities have not changed, it
would be naive to wait for a fundamental change in the situation with the
leaks,” says Raevskii.
Changes to Russian laws regarding the protection of
personal data could encourage companies and agencies to better care for their
own safety. In its current form, the law on the protection of personal data “looks
strange enough,” according to Raevskii; it contains a list of technical
requirements that an organization must perform, but it does not provide for
liability for the leak.
Related:
Russian programmer wins Facebook Hacker Cup
State Duma’s internet piracy bill stirs public outcry
US, Russia, China meet to tackle cyberterrorism
“It turns out that the main purpose of the law is not to
provide the actual protection of data, but to provide compliance with the requirements.
So everything remains as it is: Everything meets the requirements and incidents
continue to occur,” says the head of Zecurion.
The lack of mandatory standards informing clients about
leaks of confidential data also causes doubts. Such a requirement is included in
the law of some EU countries and can effectively deal with leaks, say Doctor
Web experts.
Under current law, the penalty for allowing data leakage is
only 20,000 rubles (about $600). The Federation Council is currently preparing
amendments to the law on personal data, which will reduce the level of
technical requirements for organizations, but significantly increase the penalties
for leaks.
According to Ruslan Gattarov, member of the Federation
Council Committee on Science, Education, Culture and Information Policy,
penalties could reach “millions of rubles.” However, it is not clear
when these amendments will be adopted.