Russia to Impose Fines on Buyers of Stolen Personal Data
In recent times, leaks of personal data from clients of banks, financial, and insurance companies in Russia have become much more frequent. Most often, the stolen information is sold on specialized platforms. Catching the sellers is not always possible, so to reduce the demand for such data on the market, Roskomnadzor has decided to fine the buyers.
The new responsibility will apply to the purchase and further use of stolen personal data. This was announced by Alexander Zharov, the head of Roskomnadzor, at the 10th International Conference on “Personal Data Protection” held in Moscow. According to him, the agency is already preparing the necessary proposals.
“We are preparing a package of proposals aimed at regulating internal control over the processing of personal data and establishing administrative responsibility not only for distributing personal data obtained illegally, but also for acquiring and subsequently using it,” Zharov stated.
In this context, responsibility means fines that will be imposed on individuals who buy and use stolen user data. The exact amounts of the fines are not yet known—they will be determined after the law increasing penalties for storing Russian citizens’ personal data abroad is passed.
Zharov said that amendments to the current legislation are planned to be developed and submitted to the State Duma by the spring session. The agency is also planning for an active public discussion of this initiative.
Zharov believes that since data leaks have become more frequent, it is necessary to strengthen the dialogue between Roskomnadzor, businesses, and special law enforcement units that investigate such issues. One of the “bad news” stories that needs to be addressed, according to Zharov, is the case involving Twitter employees who stole users’ personal data for resale.
This refers to the bribery of two Twitter employees by the authorities of Saudi Arabia, who needed personal data on various users, including political activists.
As for Russia, there have indeed been many data leaks—and not all of them become public knowledge. For example, just recently, information appeared online that a database of 3,500 Alfa-Bank clients and its subsidiary was being sold on the internet. The leaked data was taken from contracts, which means clients can be easily identified, along with their credit limits or insurance details.
The largest leak this year was a Sberbank database containing one million records. It had been compiled since 2015 and included full details of bank clients with loans or credit cards: passport information, registration, home addresses, phone numbers, account balances, and debts. Additionally, extra information was also for sale—such as the transcript of the client’s last call to the bank. According to the seller, the database is updated weekly. In the last three weeks of October alone, about 20,000 new records were added.
In the Sberbank case, a suspect was detained—a resident of Volgograd who worked as a debt collector. At the end of October, Sberbank announced its intention to terminate its contract with the collection agency where this employee worked.