Russians are alerted as around 2.25 million passport entries from 360,000+ individual passport holders were leaked from multiple Russian-state controlled websites, including the data from high officials of Kremlin. Information stolen is now available for download online by anybody using simple keywords, with information of high-level officials of Russian included in the leak including former Deputy Prime Minister Anatoly Chubais, former Deputy Prime Minister Arkady Dvorkovich (with his wife Zumrud Rustamova and Deputy Chairman of State Duma Alexander Zhukov. The passport leak also includes information from high profile Russian personalities such as Vladimir Solovyov, a TV anchor, Igor Kogan and Irina Mamkhegova (officials of Nordea Bank’s management).
“In practice, if the reports contain personal data, the Justice Ministry hides such data when processing and posting reports … If such data is still available on the information portal, then we treat this situation extremely negatively, since, as far as we know, the subjects of personal data did not give consent to the Ministry of Justice on the placement of their personal data,” said Fund for Infrastructure and Educational Programs, one of the early reporters of the problem.
Ivan Begtin, co-founder of Informational Culture, a Russian NGO was the first source of the news about the passport information leak. He claimed that around 50 Russian-government controlled sites were checked by his team, with 23 found being compromised/infiltrated by unknown 3rd parties while another 14 directly leaks the passport data. Aside from the individual passport images and passport numbers, the following information was also included in the leak:
- Job description and employer information
- Tax Identification Numbers
- Email addresses
Begtin claimed that the leak was happening for quite a while, as he informed the Russian Data Privacy Agency, Roskomnadzon but no one from the agency believed his research. The news remained black-out until RBC, a mainstream Russian news site picked up the story on May 15, 2019. The most likely reason for the leak according to Begtin are the websites involved in the breach were manned by incompetent web admins. The same websites were also using rudimentary CMS (Content Management Systems) that lacks the monitoring features to detect breaches and suspicious login attempts.
“This time the problem is not in volume, but in whose data are disclosed. Data leakage is just one example of extremely poor data quality in general. And yes, of course, these are not all state information resources on which personal data are published. This is the part of them to which I got my hands half a year ago to document everything,” said Begtin in Russian (translated through Google Translate).
Russia has an existing law that slaps penalties against information holders who lost data due to a data breach to the tune of $1,150 per victim. With 360,000 individual passport holders involved, the penalty may reach up to the maximum amount of $414 million. The Federal Treasury of Russia has made a commitment to establishing reforms so such massive data leak will not happen again.