Parliament to tighten laws after data theft scandal
This is not the first major leak of personal data in Russia, but the true scale of the disaster is unknown, as the company does not have the right to report such incidents.
Experts say that large-scale data leakage has practically never threatened Zurich clients. Yet there is always the possibility that buyers of insurance companies’ customer databases will turn out to be criminal organizations; it is much more likely, however, that secondhand dealers will be the competing companies, says the general director of Zecurion, Alexei Raevskii.
In the case of the latter, affected Zurich clients are likely to be confronted only with increasing mailings for offers of services.
“As for the indirect loss, they can be assessed in the tens of millions of dollars in this case,” the general director says. If the customer base of Zurich falls to the competitors, then, in the next six months, more than half of the clients of this database may change their insurance company, experts predict.
Another major leak of customer databases, which also became known to the media, took place in August 2012: The names, email addresses and mobile phone subscriber’s coupon services were leaked to the network.
Scammers offered to sell Vedomosti journalists a database of 760,000 Muscovites registered in online stores or coupon portals for $500. The press services of the largest coupon providers — Biglion and Groupon — denied leaking their databases.
Out of all the commercial organizations, telecom operators are most prone to leaks, notes Raevskii. In 2003, the customer base of MTS was stolen, and intruders had not only the names and telephone numbers of subscribers, but also their passport data. The operators claimed that the theft likely occurred through centralized law enforcement.
"Now the situation has improved somewhat — but mainly due to the fight with the sellers, not the insiders. And there is every reason to believe that the situation with the protection of databases in these organizations has not improved significantly," says Raevskii.
The fight with the sellers of stolen data is not enough to minimize the risk of leakage. It is essential that companies and agencies themselves think about the protection of their data.
"The competent director of information security, with organizational and technical measures, may well reduce the risk of leakage to an acceptable level. However, this requires the support of the leadership, which often does not consider information security a priority task. Therefore, as long as priorities have not changed, it would be naive to wait for a fundamental change in the situation with the leaks," says Raevskii.
Changes to Russian laws regarding the protection of personal data could encourage companies and agencies to better care for their own safety. In its current form, the law on the protection of personal data "looks strange enough," according to Raevskii; it contains a list of technical requirements that an organization must perform, but it does not provide for liability for the leak.
Related:Russian programmer wins Facebook Hacker Cup
State Duma's internet piracy bill stirs public outcry
US, Russia, China meet to tackle cyberterrorism
The lack of mandatory standards informing clients about leaks of confidential data also causes doubts. Such a requirement is included in the law of some EU countries and can effectively deal with leaks, say Doctor Web experts.
Under current law, the penalty for allowing data leakage is only 20,000 rubles (about $600). The Federation Council is currently preparing amendments to the law on personal data, which will reduce the level of technical requirements for organizations, but significantly increase the penalties for leaks.
According to Ruslan Gattarov, member of the Federation Council Committee on Science, Education, Culture and Information Policy, penalties could reach "millions of rubles." However, it is not clear when these amendments will be adopted.