Tatyana Isakova on refutable evidence of data leaks

The New Year began with a loud announcement about a major leak of financial data: on January 8, the pro-Ukrainian group Kiborg together with NLB (Nice Leak Bro, Russian-speaking hacktivists) announced the publication of Alfa Bank client data allegedly stolen back in October, claiming that we are talking about 38 million people (at the end of the first half of the year, the bank officially reported that it had 27.9 million individual clients).

Bank representatives leaked both then and now named “fake” and “compilation of data from open sources.” Despite the discrepancy in the number of clients, it is not easy to figure out who is right, the hackers or the bank. In 2023, Alfa Bank officially received an administrative punishment under Art. 13.11 Part 1 of the Code of Administrative Offenses (violation of the legislation of the Russian Federation in the field of personal data). But whether the punishment is connected specifically with this leak is unknown: the materials on the case have not been published, the decision was made on September 9.

A similar story occurred in 2023 with a leak at MTS Bank, for which NLB also took responsibility. The company did not then confirm the leak of “banking secrets and other sensitive customer data.” But in October, Roskomnadzor confirmed the incident.

In general, while average fines for data leaks of citizens do not exceed 60 thousand rubles, it is easier for companies to remain silent or immediately refute the incident, citing old data. But with the introduction of impressive fines – up to 500 million rubles, which the State Duma is currently considering as part of the relevant bill, the situation may change, experts in the field of information security warn.

Moreover, it’s not just about the direct financial consequences of large fines. My interlocutors talk about the risk of blackmail from attackers who can compile data from past leaks and threaten to pass it off as the result of a new incident. If the level of fines is high, paying off may be more profitable than dealing with regulators.

Meanwhile, the bill introducing turnover fines for data leaks does not stipulate the risk of fake leaks. The head of the relevant State Duma committee, Alexander Khinshtein, confirmed that this aspect was not raised during the work on the bill, which is scheduled for consideration in the spring session.

Therefore, cybersecurity market participants admit that companies will have to develop methods for promptly investigating incidents and “properly refuting them.” For example, it is possible to publicly and promptly verify data in merged databases, be it the full name of clients or card numbers, which in each bank have unique combinations of numbers, so that it will no longer be possible to pass it off as a card of an alleged victim.