Russia’s Internet community was shocked by a series of major private information leaks during only one week and amid the adoption of a new law aimed to protect personal data.
The vulnerabilities of Russian websites came to light for the first time last Monday, when some 8,000 text messages sent by clients of the Russian cellular operator MegaFon through its website were found online in the output of the major Russian-language search engine Yandex.
The representatives of MegaFon explained the leak as a technical slip-up caused by external administrators. In turn, Yandex blamed the administrators of MegaFon, who didn’t publish on their website the special robots.txt file containing the instructions for search engines when they index the contents of given webpage. The search engine already purged the indexed text messages from its cache. As for MegaFon, the company has received a letter from Roskomnadzor, the industry regulator, stating it has started an investigation into the case. However, the company believes there was no leakage of private data because the full names of the subscribers were not displayed.
The assumed leak of the contents of text messages of a big number of MegaFon subscribers, and their mobile numbers as well, caused a huge echo in the Russian media and expert community. Last week, bloggers found another leak at EMS Russian Post, the fast-delivery wing of the Russian postal monopoly. The leak allowed information about clients to appear in the cache of search engines. This Tuesday, the completed forms of railway tickets ordered through two Russian websites, tutu.ru and railwayticket.ru, were found in Yandex and Google. The forms contained passport data of customers as well as some other sensitive private data.
A fourth major Internet leak in just a week has exposed the private shopping habits of people at more than 80 Russian online stores, including those selling model cars, perfume and sex toys. The leak was first reported by Internet security company Informzashchita also on Tuesday. A Yandex query had to be formulated with complex search syntax to display the private data, all but ruling out that a casual web surfer could stumble upon the information. But simple queries entered into four other search engines – Google, Bing, Mail.ru and Rambler – also led to cached pages with order data, The Moscow Times daily had learned.
All four major data leaks were discovered amid the adoption of new legislation to protect the personal data signed by Russian President Dmitry Medvedev this Monday.
Sources: Kommersant, Lenta.ru, The Moscow Times
Update Aug. 2. 2011
The Consumer Union of Russia (CUR), an influential watchdog uniting over 100 regional organizations, has filed a lawsuit against ten Russian Internet retailers suspected to be the source of the recent customer data leak through Yandex, the Russian news agency RIA Novosti reported on Monday.
“This is all horrible and destructive and not right,” CUR head Petr Shelishch said at a news conference. “We need to do something together to ensure that what we wish to keep private stays private.”
CUR is suing only 10 out a total of 80 Russian online retailers supposedly responsible for the leak because the organization was unable to identify all the companies behind the sites. CUR won’t be claiming any material damages from the defendants in the suit but will demand a cease and desist court order to prevent further leakage of private data.
