Alexei ChernobrovovConsultant on Analytics and Data Monetization

Black data market: how to protect yourself and your customers

Continuing the topic of making money on information about user behavior, today we will take a closer look at the problem of illegal use of our personal data (PD). Read in this article how much a passport costs on the black market, what to do if someone else’s credit was issued in absentia for you and how to avoid it.

 

What is personal data and where does it leak

Federal Law No. 152-FZ “On Personal Data” means by PD the following information about an individual (subject of PD), on the basis of which it can be directly or indirectly determined:

  • Surname, name and patronymic (full name);
  • Date and place of birth;
  • addresses of places of registration (registration) and residence;
  • series, number and date of issue of the passport;
  • marital, social and property status;
  • education, profession, income;
  • contact details - phone and email.

This information is considered personal and protected by law: Article 24 of the Constitution of the Russian Federation on the inadmissibility of disseminating information about the private life of a person, Decree of the President of the Russian Federation of March 6, 1997 No. 188, Government Decree (No. 512 of July 6, 2008, No. 687 of September 15, 2008, No. 1119 dated November 1, 2012), teaching materials of the FSB, Roskomnadzor and FSTE [1]. Violation of these Federal Laws is governed by Article 13.11 of the Administrative Code, which prescribes a warning or administrative fine, as well as Articles 137, 140 and 272 of the Criminal Code of the Russian Federation, which imply criminal liability with the punishment of a fine, forced labor, revocation of a license, and imprisonment of up to 2 years with the termination of the right to engage in certain activities and occupy certain positions [2].

Despite such serious formulations, our PDs continue to leak: almost every month, the media write that the next database of personal information about Russian citizens has come into the public domain. The year 2019 was especially rich in such news, in particular, in March it became known about the leak of personal data of patients of hospitals in the Lipetsk region, whose names, addresses and diagnoses were published by the regional health department when auction was announced on the public procurement website. In April, a similar incident happened with a database of ambulance patients in several cities near Moscow (Mytishchi, Dmitrov, Dolgoprudny, Korolev, Balashikha) [3]. At that time, at least 2.24 million records with passport data, SNILS numbers and information about the employment of Russians turned out to be in the public domain. This happened due to the inconsistency of the requirements of the legislation on the transparency of information in electronic tenders with the need to protect personal information: for the accreditation of participating organizations on the electronic trading platform, detailed information about its founders is required. The incident occurred with the largest electronic trading floors in Russia, which host commercial purchases and government purchases under federal laws 44-FZ and 223-FZ: the ZakazRF purchasing module (562 thousand records), RTS-tender (550 thousand records), “ Roseltorg ”(468 thousand records),“ National Electronic Site ”(142 thousand records), ETP RAD (18 thousand records) and Sberbank AST (500 thousand records). In order to exclude such risks in the future, it is necessary to promptly amend Articles 24.2 and 62 44-FZ, which will clearly regulate which data of procurement participants should be available in the public domain at sites and which should be provided to customers in the prescribed manner [4].

In June, the database with PDs of almost a million Russians — clients of Alfa Bank, OTP Bank, and HCF Bank — became publicly available. In August, PDs of 703 thousand employees of Russian Railways were published: names, phone numbers, positions, photographs in the form and pictures of SNILS [5]. The largest leak to date, PD occurred in August and September 2019, when more than 90 million records with various data on legal entities and individuals, including the serial number, date, time and place of purchase, full name, leaked from the servers of the fiscal data operator “Dreamcas” seller, quantity of goods, its name and price. Cybersecurity experts suggest that the incident arose due to a human factor - errors by system administrators when configuring a server or configuring a firewall [6]. In October 2019, at a specialized forum of the anonymous file exchange network “Black Internet” (Darknet), a proposal appeared to sell a database with data on 60 million Sberbank credit cards (active and closed) [7]. In the same month, 8.7 million records with personal information of Beeline customers who connected his home Internet got into public access. Clients of the Tochka web bank for entrepreneurs also suffered from this, for whom the password for entering the Internet bank coincided with the password from the personal account of the mobile operator [8]. In November, in darknet, the VTB depositor base was sold, consisting of 5 thousand lines, including the name, home address with index, email, phone numbers and the deposit amount, which starts from 1 million rubles. The bank explains the incident as a data leak from a partner company that serves VTB VIP clients, for example, provides a transfer from the airport [9]. More relevant news and materials about information leaks and cybersecurity can be found in the specialized telegram channel @dataleak [10].

4 main causes of PD leaks and how to prevent them

Having analyzed the above cases of PD leaks, we can conclude that the most common factors for the occurrence of such incidents are:

  • deliberate theft of confidential information carried out by an official who has access to it. For example, unreliable employees of banks, telecom operators, and even government agencies [11];
  • hacker attack, when servers with private information are deliberately hacked by attackers using malicious viruses and other prohibited methods (brute force scripts, directory scans, etc.) [12];
  • negligence and illiteracy of network administrators and developers of information systems, allowing to obtain private information by simple queries in the address bar of the site due to incorrect settings of access rights to cloud storages and server configuration errors [12];
  • inconsistency of legislation, when certain laws require the disclosure of confidential information, as was the case in the above electronic trading [4].


Of all these problems, the solution to the latter is most obvious, which involves a coordinated study of the current legislation so that the requirements of one law do not contradict the other. A more severe liability of PD operators for leaks due to their fault is also needed. In particular, Roskomnadzor plans to introduce administrative liability for the illegal distribution of personal data and for the purchase of such. By the spring of 2020, the regulator will prepare and submit for public discussion amendments on liability for the purchase of stolen personal data [13]. Recall that at present, administrative and criminal liability rests solely on the fact of the sale of PD. At the same time, despite the wave of punishments that began in 2018 for illegal copying and transfer of confidential information to third parties [11], the number of constantly occurring incidents indicates the insufficiency of these measures.

Let me remind you that today fines for legal entities for violation of the procedure for processing PDs range from 15,000 to 75,000 rubles. Such amounts are not significant for business, especially for large companies. Abroad, they are more responsible for protecting PD: in particular, the European General Data Protection Regulation (GDPR), adopted in May 2018, imposes fines of up to 20 million euros or 4% of the global turnover of the violating company. Despite the fact that GDPR is not a Russian law, its requirements also apply to the territory of our country: these rules apply to companies processing PD of residents and citizens of the EU, regardless of the location of the organization (Fig. 1). There are already precedents for holding companies accountable for violating GDRP, for example, in 2018, in connection with data leakage and violation of the requirement to store user data in encrypted form for 20 thousand euros, the German company Knuddels GmbH & Co KG, the owner of the German online chat, was fined Knuddels dating service. The British airline British Airways was fined 183 million pounds for a similar violation related to the insufficient degree of protection of user data in the event of a leak. Another illustrative example is a fine of the US company Google by the French regulator (CNIL) in the amount of EUR 50 million for providing incomplete and opaque information to Android OS owners, as well as for a number of other related violations in the field of PD processing. Also, fines for GDPR were received by Uber and Facebook [14].

Fig. 1. GDRP action

Thus, the Russian legislation in the field of PD protection requires a substantial addition to ensure that the safe storage and processing of user data is respected by both legal entities and individuals. Technically, you can protect the PD using encryption, cryptographic protocols, competently configured security policies (RBAC model, logging of all database operations), means of preventing unauthorized access, DLP systems (Data Loss Prevention), which analyze data flows that go beyond corporate network, as well as the organization of a secure perimeter and other methods of ensuring cybersecurity. But all these measures will be effective only together with the methodological component, which assumes the active involvement of domestic and foreign legislation in the activities to protect PD. However, such legislative elaboration will require a lot of time, therefore, so far, their subject should first of all take care of protecting their PDs, as individual. Why it is really important, I will tell further.

 

Why and what you need to protect your data from

According to Javelin Strategy & Research, Americans lost $ 16.8 billion in annual identity theft losses in 2017. Moreover, each victim loses an average of $ 776 and spends about 20 hours on data recovery. For example, a random number of a certificate of social insurance in the American Darknet costs only 5 cents, and the data for a particular person is $ 3, his medical history is $ 5, and a US credit card number is from $ 7 to $ 11. The login and password for a bank account are valued more expensively: from $ 2,000-6,000 in the account - $ 270 and with more than $ 16,000 in the account - $ 1,100. Access to corporate e-mail can be bought for $ 400-500 [15].

Everything is much cheaper on the Russian “black Internet”, but virtually any PD is actively sold, from passport photos and SNILS to detailing subscriber actions (calls, SMS messages), including information about movement on airplanes, trains, buses, ferries, fines for traffic violations, etc. For example, in 2019, a monthly statement of a bank account or an individual’s card is estimated at 1-10 thousand rubles, and information on all issued internal and foreign passports of a particular individual is estimated at 1,000 rubles [16].

Why is the theft of PD dangerous for ordinary citizens? Consider several cases with varying degrees of financial damage, but all rather unpleasant for the victim.

Stories that one can pass credit in absentia with someone else's passport is not urban folklore. For example, today scammers successfully borrow money from outsiders not only from microfinance organizations, but also from large banks, presenting as photocopies of passports, certificates of employment and other papers with PD. As a result, the debtors are citizens whose PDs were used to receive money under a fictitious loan agreement. Victims must prove their innocence at their own expense, spending their own money, time, effort and nerves to communicate with banks and collectors, as well as appealing to the police and courts, which are won far from the first time [17]. Such precedents are perhaps the most critical cases of damage incurred as a result of PD leaks.

Less financial (but not moral) harm is caused by the use of confidential information about the private life of an individual in order to impose various services and aggressive advertising on him. For example, calls with an offer to purchase some goods or provocation of a victim to commit any actions in favor of an attacker. In particular, due to the skillful application of social engineering techniques and awareness of the bank card holder’s PD, fraudsters pretend to be bank employees and convince the owner to transfer money to the accounts of unauthorized persons to ensure their safety. As a result of this, the client loses his funds, since it is not so simple to prove the fact of coercion to perform actions and roll back the operation [18].

It is also worth noting that in many online stores you can pay for purchases with a credit card, simply knowing its number and holder’s data, without entering secret codes. In addition, attackers can use the knowledge about the victim’s private life for more serious crimes: extortion, blackmail, threats and other illegal acts [19].

However, they steal and illegally use not only credit card information. Typically, a person has several dozens of accounts that form his digital identity: accounts of social networks, online stores, forums, e-mail, entertainment services, etc. (fig. 2). Fraudsters hack even Uber, Airbnb, and Netflix accounts and sell them on Darknet. For example, buying someone else’s Airbnb account for only $ 8 will allow the fraudster to book a stay in expensive hotels or replace payment details in the landlord’s account, sending money for renting an apartment to his account. Hacked Skype accounts can be used to send spam even if two-factor authentication has been installed. Spam messages sometimes contain phishing links to popular sites such as LinkedIn and Baidu. Mobile phone accounts are generally a real treasure trove for scammers, taking into account SMS from banks [2]. In particular, it is worth mentioning fraud with SIM cards, when an attacker using the stolen data convinces the mobile operator that he is a real customer who has lost his phone and wants to get a new SIM card. After activating the card, the fraudster gains control over the victim’s mobile number and uses it to change passwords and gain access to the bank account. Also, foreign PDs are used to make fake passports and other false identity cards when stolen data is superimposed on photos taken in the editor [20].

Fig. 2. The cost of accounts for different services in Darknet [2]
Fig. 2. The cost of accounts for different services in Darknet [2]

How to protect personal data: to protect ourselves and our customers

First of all, we note that advertisements for the sale of PD on the darknet are not only the result of the actions of corrupt employees or the work of evil hackers who broke into a banking database or online store website. Often, PD subjects themselves take their private information very lightly. For example, they go into their own mailbox or bank account, connecting to public Internet networks (WiFi points) in a cafe, airport or just outside. There is also an independent leaving of personal information in public places, for example, when scanning documents at the MFC [21].

You should not cover all the details of your personal life in social networks, noting your own geolocation and posting information about young and old relatives (name, age, degree of relationship) so that attackers do not have a chance to use this knowledge for criminal purposes. For example, most of us are familiar with the scheme of fraudulent divorce when your loved one calls from an unknown number and says that he is in trouble (accident, arrest, etc.) and an urgent need to transfer a large amount of money to release him. Despite the fame of such a crime, still many are influenced by dishonest individuals and voluntarily part with their own money. Moreover, in order to avoid the influence of the "black masters" of social engineering, it is recommended to be careful with regard to various telephone surveys collecting information on a particular topic. Without the need, you should not take part in such events, as well as get carried away with similar questionnaire applications in social networks.

To protect passport and other PDs that you share, for example, with a bank when concluding a loan agreement, or when attaching to a clinic, it makes sense to watermark scans or photocopies of these documents - manually or in any image editor. As such protection, specify the addressee of the PD, for example, the name of the resource, in order to quickly identify the source of distribution in case of leakage (Fig. 3). In addition, even with the imposition of such information on scans and photocopies, you should not report your PD to operators whose reliability you are not too sure. For example, numerous shops, banks, even schools, kindergartens, housing and communal services and other services [22].

Fig. 3. An example of the watermark on the document [22]

And in order to avoid the intrusive spam from various shopping and entertainment services when filling out personal information, it makes sense not to indicate all the details there, as well as not to tell the main phone number that you use to work and communicate with loved ones. Insert an additional SIM card for such cases. Similarly with an email address - a separate email to register with different Internet services and not very important subscriptions will save your time, reducing the risk of PD leakage.

As for the technical recommendations on the protection of their PD stored in electronic form, they correspond to elementary measures of household cyber security [23]:

  • regularly update the operating system;
  • Use a reliable antivirus with a regularly updated database of malware;
  • set a password on your home WiFi router and configure a firewall;
  • Use two-factor authentication when accessing especially important services (Internet banking, government services, etc.);
  • invent complex and different passwords (no, qwerty, 123456 and your birth date will not work)) to all Internet services and to local devices (computer, phone);
  • timely and permanently delete unused information from cloud storage and local media (hard drives, flash cards);
  • Avoid very personal answers to common questions when restoring access to certain services. For example, your mother’s maiden name is not a good authentication method.
  • Using public Internet networks and hardware, do not go into private accounts; when scanning personal documents on other people's equipment, permanently delete the saved images;
  • remember that the security level of mobile applications is much lower than their desktop versions, in particular websites. For example, according to the results of comprehensive testing of mobile application security in 2018, high-risk vulnerabilities were detected in 38% of iOS programs and 43% for Android (Fig. 5) [24]. Therefore, if possible, you can do without installing mobile applications on your smartphone.
  • pay for purchases in online stores through a secure bank gateway so that an unscrupulous seller cannot copy your card details. And the best thing for web shopping is to use a virtual card with a limited limit of funds [25].
    turn off the autoload of images in emails - they may contain javascript or an invisible pixel image, with which you can track your movement through sites, thus forming a portrait of your consumer behavior. A similar technology is used to collect user data using cookies, which I described in detail here.
Fig. 4. The proportion of vulnerabilities of varying degrees of risk [25]
Fig. 4. The proportion of vulnerabilities of varying degrees of risk [25]

 

At the corporate level, the principles and conditions for the safe processing of PD are regulated by the already mentioned 152-ФЗ, which regulates the responsibility of the operator working with such information. The PD operator is required to have a package of documents confirming the security of the PD of his employees and customers. The list of required documents depends on the specifics of PD processing, work processes and the structure of each individual enterprise. In accordance with this package of documents, the enterprise must implement technical means of PD protection [26].

In our country, corporate PD protection is reduced to the creation of a processing mode, including [27]:

  • creation of internal documentation for working with PD;
  • creation of an organizational system for PD protection;
  • introduction of technical protection measures;
  • obtaining regulatory licenses (FSB, FSTEC);
  • FSTEC Russia license for the technical protection of confidential information is needed only if the organization provides services to create a PD protection system for other persons. When creating the PD protection system by the organization for its own needs both by technical means and organizational - this license is not needed.
  • Obtaining certificates of regulatory bodies (FSB, FSTEC) for information security tools.

If a Russian company processes information about citizens and residents of the EU, it should carry out similar activities in accordance with the GDPR. Today, this can be done with the help of external contractors specializing in IT security [28].

 

Conclusion

Summing up the topic of PD protection in the modern world, I emphasize that under this abbreviation are not only full names with passport and credit card numbers. The digital identity of each person consists of many accounts for various services - from the online store to state electronic services. Therefore, it is important to protect the client’s personal account on any site, which is what the laws are striving for today. Nevertheless, modern legislation in this regard is far from perfect. Therefore, remember that protecting your PD is, first of all, your personal concern. Better to prevent a potential threat than to analyze its consequences. Do not disclose confidential information without special need, and if such arose, attach watermarks to copies of your documents to identify a data leak when it occurs. Feel free to ask the operator of the PD how it protects your personal information. Follow the rules of cybersecurity as well as fire recommendations or traffic rules.

Of course, modern legislation, in particular, 152-ФЗ, allows individuals to demand in court compensation for property and moral damage caused as a result of a violation of the requirements for processing PD. However, in practice it is very difficult to prove the extent of losses. In addition, domestic litigation, as a rule, does not value moral suffering [14]. Therefore, for a simple layman who cannot afford a long and costly lawsuit, the most effective way to deal with an already leaked PD is to directly contact the site where these data were published with a request to remove them. Most sites will respond immediately, as such “negligence” threatens reputational risks and sanctions of Roskomnadzor. Let me remind you that the regulator has the right to fine the electronic platform, according to a press release about the leak of personal data, even without complaints from individuals, [4].

If the fraudsters have already managed to use your PD, in absentia having drawn up a fictitious loan or property pledge agreement for you, you should immediately contact the police, attaching evidence that you were physically unable to perform such an operation (for example, you were in another place, etc. ) In general, always be on the lookout for your PD!

Sources

  1. https://en.wikipedia.org/wiki/Personal_data
  2. https://goodlucker.ru/zakon/personal-information.html
  3. https://www.rbc.ru/society/09/04/2019/5cac54129a7947344a0f4e3f
  4. https://www.rbc.ru/politics/29/04/2019/5cc2df569a7947c83b69b0d5
  5. https://www.rbc.ru/business/27/08/2019/5d6544519a79475d51ee7532
  6. https://iz.ru/923418/vadim-arapov/techet-i-vmeniaetsia-v-set-popali-eshche-76-mln-zapisei-o-klientakh
  7. https://roem.ru/03-10-2019/279806/sberbank-utechka/
  8. https://iz.ru/930000/inna-grigoreva-tatiana-bochkareva/tochka-obscheta-klienty-banka-postradali-ot-utechek-v-bilaine
  9. https://iz.ru/942055/natalia-ilina-valerii-kodachigov/otkryli-vkladchikov-5-tys-zapisei-o-klientakh-vtb-prodaiutsia-v-seti
  10. https://telete.in/s/dataleak
  11. https://www.devicelock.com/ru/blog/kak-v-rossii-lovyat-i-nakazyvayut-za-nezakonnuyu-torgovlyu-personalnymi-dannymi.html
  12. https://www.devicelock.com/ru/blog/kak-obnaruzhivayut-otkrytye-oblachnye-hranilischa-amazon.html
  13. https://iz.ru/940710/2019-11-07/v-rossii-zadumalis-o-nakazanii-za-pokupku-kradenykh-lichnykh-dannykh
  14. https://www.gazeta.ru/tech/2019/08/09_a_12567469.shtml
  15. https://thebell.io/vse-o-vas-za-100-kak-rabotaet-chernyj-rynok-personalnyh-dannyh/
  16. https://www.devicelock.com/ru/blog/tseny-chernogo-rynka-na-rossijskie-personalnye-dannye.html
  17. https://rg.ru/2018/11/21/vs-raziasnil-kak-dokazat-chto-grazhdanin-ne-bral-dengi-u-banka.html
  18. https://www.the-village.ru/village/business/opyt/359067-bankovskie-moshenniki
  19. https://www.dp.ru/a/2019/10/11/A_strashen_li_chert__CHem_na
  20. https://thebell.io/vse-o-vas-za-100-kak-rabotaet-chernyj-rynok-personalnyh-dannyh/
  21. https://habr.com/ru/company/devicelockdlp/blog/430148/
  22. http://minideposit.com/скан-паспорта/
  23. https://digitalguardian.com/blog/101-data-protection-tips-how-keep-your-passwords-financial-personal-information-safe
  24. https://www.ptsecurity.com/ru-ru/research/analytics/mobile-application-security-threats-and-vulnerabilities-2019/
  25. https://www.banki.ru/wikibank/virtualnaya_karta/
  26. https://ru.wikipedia.org/wiki/Оператор_персональных_данных
  27. https://en.wikipedia.org/wiki/Privacy_law
  28. https://www.pwc.ru/ru/services/audit/riskassurance/gdpr.html

Contacts