Shadow Market for Bank Client Databases in Russia Surpasses 1 Billion Rubles

According to a 2019 study by the analytical center “Garda Technologies” (part of ICS Holding), the shadow market for bank client databases in Russia reached a value of 1,039,632,336 rubles. Since 2016, the volume of the illegal database sales market has grown by 76%. In 2019, data on 70,064,796 clients from 42 Russian financial organizations was available for open sale. The data was current for 2018-2019.

Excluding information collected through parsing open sources, analysts identified 191 unique databases of financial organization clients offered for sale in 2019 by various sellers in different configurations. Most of the compromised data consists of nationwide databases not tied to specific regions or cities. However, there are also many offers for databases from specific regional bank branches.

Almost half of the offers—493,000 records—are databases from banks in the Moscow region. Databases from the Altai Territory are in second place (478,000 records), followed by Nizhny Novgorod region and Samara, which together account for 423,000 records.

Pricing and Types of Databases

The price of bank sector databases on the open market depends on the prevalence of the offer, the completeness, and the relevance of the data. The average market price is 175,000 rubles for 45,000 client records from financial organizations. Price offers are divided into two groups: unique and mass-distributed databases. The most valuable are fresh data dumps from automated banking systems, sold exclusively to one buyer. The price per record in such a database starts at 5 rubles and can reach up to 2,000 rubles. The average price per record in mass-distributed databases, which are sold multiple times, is much lower—about 0.5 rubles per record or less, depending on purchase volume.

In the financial sector, the pricing dynamics for mass-distributed databases depend less on how recent the data is and more on its completeness. For example, information on VIP clients of a regional branch of a major bank, including passport data, card numbers, and current account balances as of 2015, is openly sold for 15,000–20,000 rubles for a database of 20,000 records. For the same price, you can buy a list of 300,000 payroll clients with only names and phone numbers from 2018.

Risks and Consequences of Data Leaks

For banking service users, the risks from data leaks range from social engineering—such as calls from “tech support” using regular mobile numbers with fake messages about card blocks or withdrawals—to large-scale fraud involving accounts and loans.

For banks, in addition to direct customer loss, major leaks can result in reputational damage and regulatory sanctions for violating Federal Law 152-FZ “On Personal Data.”

Market Demand and Recommendations

High demand for bank databases on the black market is driving the emergence of new and increasingly up-to-date offers. Insiders often work on commission, and there is no direct access to them; sellers use various data sources.

To protect data and prevent leaks, “Garda Technologies” analysts recommend that financial organizations more carefully control the legitimacy of access to their databases within the organization, monitor mass data exports from storage systems, watch for abnormal actions by privileged users, and regularly check for vulnerabilities in the database management systems they use.