Parliament to tighten laws after data theft scandal

Last week, authorities discovered how customers of the Russian subsidiary of the famous Swiss insurance company Zurich had their information stolen. The culprits managed to obtain customers’ addresses, places of work and mobile phone numbers.

This is not the first major leak of personal data in Russia, but the true scale of the disaster is unknown, as the company does not have the right to report such incidents.

Experts say that large-scale data leakage has practically never threatened Zurich clients. Yet there is always the possibility that buyers of insurance companies’ customer databases will turn out to be criminal organizations; it is much more likely, however, that secondhand dealers will be the competing companies, says the general director of Zecurion, Alexei Raevskii.

In the case of the latter, affected Zurich clients are likely to be confronted only with increasing mailings for offers of services.

The Zurich data leakage could be much more painful, though. "Direct damage caused by this incident will likely be small for the company. Currently, the maximum penalty for failure to comply with the law on personal data is 500,000 rubles (around $15,150), and it applies only in cases of repeated violations. Claims to the company for damages by the affected citizens are also unlikely to lead to substantial losses,” says Raevskii.

“As for the indirect loss, they can be assessed in the tens of millions of dollars in this case,” the general director says. If the customer base of Zurich falls to the competitors, then, in the next six months, more than half of the clients of this database may change their insurance company, experts predict.

Another major leak of customer databases, which also became known to the media, took place in August 2012: The names, email addresses and mobile phone subscriber’s coupon services were leaked to the network.

Scammers offered to sell Vedomosti journalists a database of 760,000 Muscovites registered in online stores or coupon portals for $500. The press services of the largest coupon providers — Biglion and Groupon — denied leaking their databases.

Out of all the commercial organizations, telecom operators are most prone to leaks, notes Raevskii. In 2003, the customer base of MTS was stolen, and intruders had not only the names and telephone numbers of subscribers, but also their passport data. The operators claimed that the theft likely occurred through centralized law enforcement.

More about cybersecurity

As for government agencies, the databases for customs, tax authorities, traffic police and other departments could be bought in every underpass not so long ago.

"Now the situation has improved somewhat — but mainly due to the fight with the sellers, not the insiders. And there is every reason to believe that the situation with the protection of databases in these organizations has not improved significantly," says Raevskii.

The fight with the sellers of stolen data is not enough to minimize the risk of leakage. It is essential that companies and agencies themselves think about the protection of their data.

"The competent director of information security, with organizational and technical measures, may well reduce the risk of leakage to an acceptable level. However, this requires the support of the leadership, which often does not consider information security a priority task. Therefore, as long as priorities have not changed, it would be naive to wait for a fundamental change in the situation with the leaks," says Raevskii.

Changes to Russian laws regarding the protection of personal data could encourage companies and agencies to better care for their own safety. In its current form, the law on the protection of personal data "looks strange enough," according to Raevskii; it contains a list of technical requirements that an organization must perform, but it does not provide for liability for the leak.

"It turns out that the main purpose of the law is not to provide the actual protection of data, but to provide compliance with the requirements. So everything remains as it is: Everything meets the requirements and incidents continue to occur," says the head of Zecurion.

The lack of mandatory standards informing clients about leaks of confidential data also causes doubts. Such a requirement is included in the law of some EU countries and can effectively deal with leaks, say Doctor Web experts.

Under current law, the penalty for allowing data leakage is only 20,000 rubles (about $600). The Federation Council is currently preparing amendments to the law on personal data, which will reduce the level of technical requirements for organizations, but significantly increase the penalties for leaks.

According to Ruslan Gattarov, member of the Federation Council Committee on Science, Education, Culture and Information Policy, penalties could reach "millions of rubles." However, it is not clear when these amendments will be adopted.

All rights reserved by Rossiyskaya Gazeta.