Don’t panic, but don’t not panic Making sense of data leaks at Russia’s banks

On October 24, the newspaper Kommersant reported that Sberbank clients’ personal data were for sale on the black market in a database that apparently contains roughly a million lines of customers’ passport numbers, registration information, home addresses, telephone numbers, account numbers and balances, and records of any recent communication with the bank’s call center. Spokespeople for Sberbank, meanwhile, deny any such data leak. Earlier in October, Kommersant reported another leak of 60 million Sberbank credit card numbers, though the company’s spokespeople acknowledged the leak of just 5,000 clients’ card numbers. These incidents are just two episodes in the wider theft and illegal sale of banking information that belongs to millions of Russians. Meduza asked two experts who work on preventing data leaks to weigh in on the Kommersant reports, and explain why Russian banks don’t do more to protect their customers’ information.

Ashot Oganesyan

Founder of “DeviceLock,” a developer of data-leak-prevention systems 

Data leaks from banks are probably routine by now, but major [leaks] are still something out of the ordinary. For example, it’s very rare for bank heads to comment on these leaks. Usually, everything is either swept under the rug and banks deny any leak, or all we get is a press statement that they’re sorry and everything’s fine now.

Thanks to movies, people might think that data leaks at banks are the work of hackers, but usually there aren’t actually any hackers. Almost every time, it’s the human element, which is exactly what often drags Sberbank into the headlines. And there are objective reasons for this: it’s a huge bank with lots of branches across the country, where employees earn small salaries, and it’s very easy to corrupt them. These people are willing to commit crimes for small amounts of money. Very often, low-level staff are how these leaks happen.

On the black market, there are all kinds of bank clients’ databases. The most valuable (the ones that sell for the highest prices) contain all a person’s data, as well as some kind of specific information about their account, like the funds balance. Better still, some have the account and card numbers. Generally speaking, the more information in a database, the greater the demand from fraudsters. But more often what you find are databases that have someone’s personal data, their telephone number, and the name of the bank they use. Usually there’s no banking information, which means these leaks aren’t likely from any banks. There are a lot of shady groups who have written special bots that can find out if someone is a particular bank’s client by using banks’ telephone systems for transferring funds.

Among dealers, this latter kind of database is relatively cheap because it doesn’t offer the same precision. We’re not talking about “cracking” a specific client here — that kind of service might cost between 1,000 and 10,000 rubles [$15 and $156]. The data in these leaked databases are sold in bulk; for example, some vendors require buyers to purchase at least 1,000 people’s information from a leaked database, where one client’s data end up costing between 30 and 50 rubles ($0.50 and $0.75).

When fraudsters finally get their hands on a database, they begin with some social engineering. For example, they’ll call a bank’s clients, masking their phone numbers and posing as bank employees, to report irregularities with their accounts. They’ll go through all the motions, asking people their names, stating their account numbers and balances. They try to gain your complete trust, so they can get the information they’re missing on you, and then they withdraw your money.

For customers, the threat of these leaks is clear, but there’s a sense that the banks aren’t all that concerned. They act like the threat doesn’t even exist; they don’t need the scandals.

That being said, banks have the technical capacity — special technical protection systems — to stop leaks. They’re used on employees’ work computers, and all the user information processed on these machines passes through these systems. For example, on official business, staff can send documents by registered email within the company. If someone tries to copy something out of these docs, the system starts checking the data being transferred, and the operation can be prohibited, if anything suspicious turns up, and this information is then sent to the [bank’s] security service.

In the West, this is exactly how banks work, prohibiting all such operations. Most of all, this helps protect against accidental leaks, for example, when an email is accidentally sent to the wrong person. [In Russia] the banks often deal with this only after the fact. Their systems operate in monitoring mode, without blocking anything. In watch mode, we can [only] find out how a leak happened, if something does happen. [Russian] banks justify this choice by arguing that they don’t want to disrupt business transactions. But you can’t delete the information from the Internet, once it’s leaked. There’s virtually nothing you can do at that point.

If you’re a client at a bank where there’s been a leak, you might try to take the bank to court. There’s not much more you can do. Just stay on your guard. If someone calls you and says they’re from the bank, hang up and call the bank yourself. That way, you guarantee that you’re talking to the bank.

What you should understand generally is that malicious persons can fool even the most advanced security systems. That’s why the main issue in the fight against leaks is how perpetrators are punished. And there’s quite a divide here between the situations in Russia and the West. Staff at banks and telecom offices who [are caught] leak[ing] data get fines and probation at worst. Legal entities face the same fines between 5,000 and 75,000 rubles [$80 and $1,170]. For a bank, these are pretty ridiculously small figures. In the West, however, the punishment is as severe as a percentage of their revenue. This kind of punishment has effectively forced tighter data controls. Nobody wants to lose a percentage of a billion dollars in turnover.

That said, there aren’t as many leaks among banks as in other industries; they’ve got a lot of money and they’re the most secure. It’s just that they have a lot of very valuable information, and the media loves writing about them. Nobody pays any attention to leaked databases from beauty salons or medical centers. Who knows how they protect their databases, which are leaked every day. That kind of information circulates online uncontrollably. Nobody even thinks about these databases.

Alexey Rayevsky

Founder of “Zecurion,” another data-leak-prevention systems developer

Russia’s law on personal data is designed in such a way that almost nothing happens to those who allow data leaks. Nobody conducts thorough investigations like in the West, and nobody pays multimillion-dollar fines. Everybody pays small fines and goes on like before. That’s why the IT security departments at major [Russian] banks (where the biggest reputational problems aren’t even leaks) are not a top priority. They’re not given sufficient resources, and so on. If you’re an IT director and you go to the bank’s management, asking for 100 million [rubles — about $1.6 million] to fight data leaks, you know you’re not getting it, when the fine is just 75,000 rubles. [Russia’s] main problem is a lack of legislative responsibility.

Additionally, protection against leaks isn’t a competitive edge. Basically, everyone has leaks. You can’t protect against information theft at 100 percent — it’s just impossible.

Everyone is trying to steal from the banks because any kind of banking information has its price on the black market. And the more you manage to grab, the more you can earn. If something is poorly guarded, it’s taken and they try to sell it somewhere else. They steal all the low-hanging fruit, whether it’s transaction histories, password hints, or anything else.

Getting these databases is just the first step for fraudsters. It takes another 10 to 15 steps before they can monetize the information. For example, you’ve got to call up clients and pretend to be bank employees, in order to cash out their funds. And the potential income from these scams isn’t all that much. To earn about 10,000 rubles [$156], you’ve got to call up between 100 and 200 people.

After these leaks, banks are supposed to notify their clients and warn them that fraudsters might try to contact them. A warning system like this would go a long way, but our banks don’t do it, as far as I understand. Clients can only be vigilant and careful, if they’ve seen their bank in news headlines, and they should know that fraudsters might try to call them.