Russia to dramatically hike fines for data theft

Russia to dramatically hike fines for data theft
The Russian government will dramatically hike the fines for stealing information as it battles against a tide of data theft / wiki
By Vladimir Kozlov in Moscow June 17, 2020

Hackers are preying on Russian’s personal data and the number of crimes have ballooned. The government is responding with a dramatic hike to the fines for stealing information, but some experts say the proposed measures are too harsh, especially at a time of the coronavirus (COVID-19) pandemic. The Russian government has already been accused of being a “Big Brother” and the issue of personal data stored on servers in the country remains highly sensitive.

Databases containing personal data are freely available on Russia’s black market. Lists containing personal information such as addresses, car ownership, tax numbers and the like used to be on sale on CDs on the open-air Fili media market in Moscow until the authorities finally managed to shut it down. But now the trade has simply shifted online.

Client data belonging to Russia’s largest lender state-controlled bank Sberbank was stolen last year and went on sale on shadow online platforms last October in one of the biggest data heists in Russian history. Likewise, one of Russia’s largest private banks, Alfa Bank, reportedly had a leak of credit card and insurance contract identities a month later and a sample of the client data that was sold in October had already led to several fraud attempts. Russia’s banks are already reporting cybercrimes worth tens of millions of dollars a year.

Under the proposed changes to Russia's administrative code by the country's Justice Ministry, the maximum fine for leaking private data should be raised from the current RUB50,000 ($724) to RUB500,000 ($7,240).

Under the proposal, fines for individual entrepreneurs would increase from RUB20,000 to RUB300,000, for officials from RUB10,000 to RUB100,000 and for regular citizens from RUB2,000 to RUB20,000.

The idea of raising fines for leaking private data was first floated in 2015 when the State Duma, the lower chamber of the Russian Parliament, considered raising the maximum fine to RUB300,000, but the initiative was never finalised.

The Justice Ministry's proposal is expected to undergo a public discussion and will have to be approved by other involved government agencies but, most likely, it will be adopted.

Private data under threat

Over the last few years, leakages of private data have become a real issue that needs to be dealt with.

According to the cybersecurity firm InfoWatch, in 2019, the number of private data leakages increased by 40% on the previous year.

And more recently the situation has got worse, as many companies have switched to remote work due to the coronavirus (COVID-19) lockdown. As a result, company employees often work in an unprotected environment, making it easier for perpetrators to get hold of private data handled as part of companies' operations.

Ashot Oganesyan, founder and CTO of computer security firm DeviceLock, was quoted by Kommersant as saying that the number of hacking incidents involving private data has increased by 50% since the first lockdown measures were introduced in mid-March.

According to Oganesyan, attempts to illegally copy customer databases account for 30% of all incidents.

Expert opinions diverge

Some experts have questioned the idea of a drastic increase in fines for private data leakage.

The proposal for a dramatic hike in fines without detailed regulations in the area of data confidentiality and without a transitional period during which operators would be able to adopt new procedures for private data protection raises many questions, Yekaterina Portman, head of Deloitte Legal CIS, was quoted as saying by Kommersant.

“This measure would be premature and inhuman, especially in the context of the country's overall economic situation, which is deteriorating due to the coronavirus (COVID-19) pandemic,” Portman believes.

However, other observers disagreed. The RUB500,000 fine would be too high only for small businesses, but for a major organisation it would be nothing but a "small nuisance," Irina Gudkova, director of the legal department of the Commercial Bank of Moscow, was quoted as saying by Kommersant, adding that companies of that kind would be more concerned about reputational damage.

Meanwhile, some experts even said that the proposed fines could be too low to stop perpetrators from leaking private data.

Alexander Zhuravlev, head of the commission for legally supporting digital economy at the Association of Russian lawyers, told Kommersant that, for instance, on the darknet, databases are offered for much higher prices than the proposed fines.

According to DeviceLock data, a database of a bank's retail customers with 150,000 entries was offered on the darknet last year for roughly RUB10.5mn ($152,000).

According to Zhuravlev, fines for data leakages should be comparable to those for private data storage outside Russia, currently set at between RUB6mn and RUB18mn ($86,000 to $260,000).

Over the last few years, private data leakages from major Russian companies have been reported.

In 2017, data of 17,000 individuals was leaked from the Russian pension fund. In early 2019, major cell phone operator Beeline confirmed that data of its 2mn customers had been leaked. Later the same year, Russian Railways reported a leakage of data for 700,000 of its customers.

Since the beginning of this year, the liquor store chain Krasnoye i Beloye and the federal customs services have suffered major data leakages, amongst many others.



This article is part of bne IntelliNews coverage of technology, blockchain, fintech, cryptocurrencies and the new economy. Sign up for the free monthly newsletter bneTech here, or read more tech stories on the website here.

Read the latest issue of bneTech here

Sign up for free here

bne’s tech section online