Compensation received for data leak – Kommersant FM

On the second attempt, a St. Petersburg resident was able to sue for money for leaking his data.
At the end of February 2022, data from 58 thousand users of the Yandex. Food” appeared in the public domain. Anyone could see their names, phone numbers, addresses, intercom code and even the amount of spending over the last six months on a special resource. It was later blocked. The user learned about the leak in March, found his data on a third-party site, and then decided to go to court. But we managed to win the case only the second time. What arguments convinced the judges? And will this practice become widespread? With details – Alexander Mezentsev.

St. Petersburg resident Alexander Shatsky considered that “Yandex. Food”, having allowed a leak, violated his rights and demanded compensation of 50 thousand rubles. for moral damage. In court, the service representative insisted that the plaintiff did not prove the leak was the company’s fault, and the first instance agreed with this.

This is not surprising, because, based on foreign practice, fraudsters often use company vulnerabilities to their advantage, emphasizes Igor Bederov, head of the Internet Search company:

“In the West, there is a General Data Protection Regulation, a more advanced, well-thought-out legislation in the field of processing and security of personal data. There, people purposefully take a separate identifier, phone number, email and enter it into a specific service.

After which they expect the risk of leakage or unauthorized transfer of their personal data from this site to their numerous partners, of which there are always.

Then they take their only ID, which was used only on this resource, and go to court. Actually, this confirms the fact of the leak.”

However, the appeal recognized that the service should be held accountable for the leak of personal data, and decided to recover from Yandex. Food” 5 thousand rubles. in favor of the St. Petersburger.

In November 2022, the Zamoskvoretsky District Court of Moscow also decided to pay 13 clients of this service 5 thousand rubles each. compensation. At the same time, they asked for hundreds of thousands each, seven more plaintiffs were left with nothing.

Considering the current situation, it was lucky that we were able to receive some kind of compensation at all, continues the head of the Internet Search company, Igor Bederov:

“No one will be able to sue for large sums, given the conduct of the SVO and the fact that all current problems with information security and leaks can be attributed to the fact that the systems are being attacked by unknown hackers from abroad, and as a result the systems become vulnerable.

That is, there is a conditional moratorium on prosecution.

Moreover, while at this stage there are no turnover fines for large companies, the courts are loyal to such actions.”

In April 2022, Yandex. Food” was fined 60 thousand rubles. for leaking user data. In August, the company was given the same punishment, but this time for leaking the personal information of the service’s couriers into the public domain.

Despite the positive experience of some plaintiffs, it is premature to talk about the widespread spread of such practices, noted Roman Yankovsky, a partner at Tomashevskaya and Partners:

“The Personal Data Law provides for such a right of a citizen whose information has been disclosed. But usually this applies to cases where a person was able to prove property damage, that is, for example, a loan was taken out for his passport data.

That is, we are not talking about those episodes when this information simply became public knowledge. Moreover, the Yandex. Food data did not include passport data, as far as I know.

We must, of course, understand that this is not some sort of Supreme Court-level case. The decision of the St. Petersburg City Court in this sense does not create a big precedent, and we must see how this will develop further.”

Meanwhile, it became known that in Data of 1 million clients leaked online MTS Bank. The attackers published personal information, including tax identification number and citizenship. The bank itself claims that the published database contains card data from different issuers, and therefore the leak could have occurred at a retailer or some digital service.

According to experts, the publication of such data could cause serious material damage. And what compensation might be for this is still difficult to calculate.

---

Everything is clear with us – Telegram channel “Ъ FM”.

Yana Zagorovskaya, Vladimir Rasulov