Column by Tatyana Isakova on the practical application of data leaks
[ad_1]
The National Coordination Center for Computer Incidents (NKTsKI), controlled by the FSB, announced the launch of its own service for checking citizens’ data in leak databases. It is posted on the website “User Security on the Internet” created by the NCCC, through which you can check your phone number, email or login on a particular service. The search takes place in a consolidated database, which is replenished from open sources. The resource does not store the databases themselves.
As a result, the user is given matches in the databases indicating the name of the service and the date of the leak. It is stated that search history is not saved. I discovered that NCCC has access to leak databases, for example SDEK from 2022 and VK from 2012, as well as foreign services (Canva and others). The site emphasizes that if the user does not find data in the search, this does not mean that it is safe. “Not all companies voluntarily and promptly disclose information about incidents,” explains the NCCCC.
Information security specialists call the new service an analogue of Have I Been Pwned (HIBP), an English-language background check site created by Australian Troy Hunt. According to HIBP, data from 13 billion compromised accounts can be found on it. The service is supported, among other things, with the help of special services. For example, in 2021, the UK National Crime Agency shared with HIBP a database of more than 585 million hacked passwords discovered during investigations. The agency did not disclose the source of the leak. Before this, the database was replenished by the American FBI.
In Russia, in addition to the FSB, data on leaks is collected by Roskomnadzor: it is to it that companies that committed an incident must send appropriate notifications. But the very fact that NKTsKI receives data from open sources, and not from the internal database of Roskomnadzor, indicates the paucity of information coming from market participants. This is not surprising given the regulation of personal data storage that is being discussed now: from turnover fines for incidents to financial compensation for victims of leaks.
It is the prospect of receiving compensation that can make the new NCCCI service truly useful for citizens. Since it has official status and operates “under the auspices of the FSB,” search results from the site can serve as one of the arguments for demanding compensation from the organizations that allowed the leak, lawyers say: “There will be more trust in this resource than in an independent service.” Experts clarify that “the search results are unlikely to become an independent argument, but they are quite additional evidence of the very fact of leakage and distribution of data.”
[ad_2]
Source link