Your Personal Data Is Worthless in Russia

All over the world, there are increasing efforts to ensure the security of personal data. Russia is no exception, enthusiastically implementing dozens of laws and hundreds of regulations. But is there any real result? My investigation shows that in Russia and across the former USSR, these laws are useless on paper. The results are alarming: not only companies and government agencies, but also any scammer can access personal and business data, banking secrets, and commercial secrets. Everything is bought and sold for the price of a couple of cups of coffee to a few mid-range smartphones.

Here are the grim details.

The Black Market for Personal Data

In the 1990s and 2000s, Moscow’s markets were flooded with CDs containing databases: residents, cars and car owners, and later, mobile operator databases. I’m not sure about the current situation with criminal sales of such databases in Moscow (I haven’t lived in Russia for a long time), but I can say with confidence that these are either very old databases or just fragments of modern ones. Today, the volume of departmental and corporate information reaches petabytes and is stored in the cloud, making it difficult to fit anything onto a regular household device for sale.

Now, personal data is actively sold on various forums, where there are sellers, buyers, and even entire arbitration systems to resolve disputes. Criminals have built a powerful infrastructure: forums are active, topics have many comments and reviews, there are bans for scams, and rating systems for “trusted” users.

“In the darknet?” you might think. Not quite. These sites are publicly accessible and may not even be listed in Roskomnadzor’s infamous registry. Some do have darknet mirrors, but those are just mirrors.

This article is about these sites and the “services” that completely undermine all the government’s showy efforts to protect personal data in recent years.

Please refrain from posting links to these resources, even if many know them. First, I don’t want to give even indirect advertising to scammers. Second, it could jeopardize this article. Third, the issue isn’t the existence of these resources, but the state conditions that allow such “services” to exist at all.

Mobile Operators

Take a look at a typical forum and its services:

• Basic service: checking the owner of a phone number—full name, passport data, address. How this data is used depends only on the scammer’s imagination.
• More advanced “services”: tracking a person’s location via cell towers, location history, call details, SMS details. Fortunately, I haven’t seen call recordings (maybe I missed them).

It’s shocking that any scammer can access this information. Whether this is done through the operators themselves or via external interfaces available to government agencies (which I have no doubt exist) is anyone’s guess.

Think twice before registering a SIM card with your passport data. Maybe it really is safer to buy a SIM registered to a random migrant? These are still widely available. By handing over your passport data, you’re identifying yourself not just to the operator and government, but to any criminal willing to spend the price of a cup of coffee on you.

Government Agencies

Nothing compares to the amount of data government agencies have on us. Thousands of employees have access, and the results are all over the forums:

• It’s clear what information these agencies have and how easily employees can compile a full dossier on anyone.
• Even worse, any scammer can compile the same dossier.

Typical services include vehicle information, migration data, and more. The most popular are dumps from databases like Magistral, Sirena, Granitsa, Migrant, Kronos, Spark, Potok, and complex IBDR-IBDF databases. I hadn’t even heard of some of these names before. Everything imaginable is available—even pension fund data.

Banks

There’s a whole category of “services” dedicated to bank account details and transaction histories. Some specialize in personal accounts, but even more focus on business accounts. Here, fraud escalates to industrial espionage and outright crime. I won’t post screenshots, as the criminal “service packages” go far beyond data leaks.

Where does this massive violation of not just personal data laws, but banking secrecy, come from? Honestly, I’m amazed at how rampant corruption is. It seems that any employee with access to client data could be a potential leak. The only question is: where are the security departments looking?

I’d love to name the worst-offending banks, but I won’t, as the first on the list would be those with corporate blogs on Habr, risking this article’s removal. Everyone knows their brand colors. In my experience, the smaller the bank, the less likely you’ll find criminal services related to it on forums.

Everything Is Bought and Sold

I barely touched on the information collected and leaked by electronics, clothing, food stores, and fitness clubs. All of this is also sold, so think twice before giving your real address and phone number for another discount or club card.

Fun fact: databases of users of bookmakers, forex, psychics, buyers of supplements, weight loss, and potency products are actively sold. The target audiences for these products are so well-defined that these databases are constantly updated and traded. It’s a huge business.

It’s not so bad when the data leaked is what we voluntarily provide—just be careful and don’t give it out. It’s much worse when data is leaked that we can’t avoid providing. Buying SIM cards without a passport won’t solve all problems.

In 2017, I read about Russian opposition figures (like Leonid Volkov) who were harassed by aggressive criminals who suddenly had information about all their flights and movements. Thugs would wait at airports, accompanied by paid pseudo-supporters with flags and chants. In Ukraine, such people were called “titushki.”

How did they know about the opposition’s flights? Simple: access to flight databases is bought and sold just like any other database.

A skeptical reader might think: “But you’re talking about opposition figures, people at risk by definition.” But that’s not true—this lawlessness can affect anyone. The scale of data about us lying around is visible to everyone.

Everyone has a smartphone, a bank account, many have cars, travel by air, or run businesses in the post-Soviet space. Regardless of your social status or political views, you’re at risk because your data is unprotected, and criminals have free rein. What’s posted on forums as commercial offers can actually be obtained “with a phone call” by connected people. This is especially true in Russia.

Many remember the 2008 case of Anton Uralsky and the published call to the Stream internet provider: “there wasn’t a single disconnection!” Everyone laughed, not realizing that the employees committed a crime by posting the audio and Anton’s personal data online, ruining his life.

Why does this story resonate with me? Because in 2008, my own personal data was shamelessly posted by employees of the Korbina internet provider. The reason is almost a joke: the admins of Korbina’s local forum didn’t like some of my posts, so someone matched my IP address to their internal database and posted all my contract details, including passport data and service address. “Here’s the guy, go talk to him, forum members.” Luckily, the forum’s audience was mostly schoolkids, so nothing bad happened. What a caricature of morality: “never anger the admin.”

The admin did it as a joke, just because—that’s the attitude toward personal data and the law. Even in 2008, there were personal data laws, though not as detailed as today. As you can see, nothing has improved in 10 years, even though much more paper has been spent on laws. Everything has become even more criminalized and commercialized, with all the accompanying “business processes.” Where there used to be pranks and petty crime, now there’s financial gain, cold calculation, and a whole criminal infrastructure.

I’ve lived in Germany for five years and constantly see the care with which German agencies and companies handle personal data. The first rule in Germany when working with people: protect their privacy and confidentiality. Every time I experience this, I remember Russian internet provider employees and wonder how many years they’d serve in Germany for their actions. They’d still be in jail. On the other hand, such a situation simply couldn’t happen: the system wouldn’t allow an irresponsible, stupid, or dishonest person access to protected data. Not even a smart but dishonest one.

Afterword

I’m sure that corrupt employees of companies, banks, operators, agencies, and forum owners I wrote about today read Habr and will read this article. Some will think, “You’re exposing our business to the public,” to which I reply: you’re doing very bad things, committing crimes, and I won’t praise what I consider evil or stay silent about what I find unacceptable.

I’ve only touched the tip of the iceberg—no more than 2% of the truth. Digging deeper, you’ll find criminal “services” like remote SIM blocking, SMS interception, bank account blocking, paralyzing company operations—any criminal whim for your money. Everywhere, employees of agencies or commercial companies are involved.

By the way, with mobile operators, there are even more “services”: scammers exploit vulnerabilities in mobile networks to geolocate all users visiting a site from mobile internet, connect paid subscriptions, and for themselves—completely bypass mobile traffic accounting (not just simple tethering, but full disabling of data limits). Surprisingly, these tricks don’t come from shady darknet forums, but from the well-known 4pda forum in Runet.

I didn’t dig deeper into the black market—it’s too slippery and disgusting. I was only interested in the situation with personal data, which is catastrophic and not even buried deep in the black market, but right out in the open.

Most of this article focused on Russia, its organizations, and agencies. Ukrainian readers are probably used to most bad news in the Russian-speaking internet being about their northern neighbor. Unfortunately, this time I can’t share your optimism: the “services” described in this article are just as available in Ukraine as in Russia, at the same prices.

In my experience, there are far fewer offers for Belarus and Kazakhstan. Maybe I didn’t look hard enough (honestly, it’s morally hard to stay on these sites), but it’s clearly not due to lower crime. I think it’s simpler: the supply is proportional to the population, and Belarus and Kazakhstan have far fewer people than Russia and Ukraine.

I’ve never seen offers for such “services” in Europe, the US, or other developed countries. At most, you’ll find checks through general databases (like Interpol), accessible from Russia. Obviously, in those countries, laws are not just written on paper—they’re enforced. Laws aren’t for show or “checking the box.”

Meanwhile, ordinary Russian, Ukrainian, Belarusian, and Kazakh small business owners will happily be fined by regulators for the wrong consent form for personal data processing, while those same agencies will just as happily leak the entire database—including your data, your business, your clients, and even your fine.