The data of the clients of the Auchan and Your House retail chains got into open access. Auchan confirmed the leak. The files linked to Auchan contained a first and last name, phone number, e-mail address and other information. There are about 8 million lines in total. The company “Your House” leaked about 700 thousand lines. How these data were obtained is not specified. Roskomnadzor has already become interested in what happened.
The press service of Auchan said: the company is conducting an internal investigation “in order to establish the attack vector and the source of the leak.” Auchan regrets what happened and apologizes to customers, the representative of the retailer emphasized.
A little later, it became known about a data leak from the site gloria-jeans.ru. Over 3 million email addresses submitted. The problem with data leaks in Russia is very serious, says the manager of the RTM Group, an expert in the field of information security and law in IT, Evgeny Tsarev.
“The situation that has developed with leaks in Russia is anomalous. That is, in Western countries, and in the east, this does not happen. I mean scale. The government ignored this issue for a long time. Neither citizens could receive compensation for leaked personal data, nor were there significant fines for processors of personal data. And all this lasted for decades, and now we are in a situation where companies will be forced to revise information systems in the field of IT. Information security issues will also be reviewed.”
Significant, even “abnormal” demand for data protection specialists has appeared on the market, Tsarev draws attention. Attackers who stole data are most often caught at the time of selling information. Often these are current or former employees of companies. Bank data, information from pension funds and insurance companies are most valued on the black market. Therefore, in this sector, protection is better than that of retail chains. Store customer databases can be used, for example, for targeted advertising.
At the end of last year, the Ministry of Digital Development prepared a draft law on the introduction of fines for the leakage of users’ personal data. They can make up to 3% of the company’s turnover. This practice is common in the West. It was also reported that the fine would be commensurate with the volume and criticality of the leaked data. For the first case of leakage, the amount of punishment will be fixed. Then there is a turnover penalty. If a company compensates customers for damages and also prequalifies its security infrastructure, this may be considered a mitigating circumstance.
Do such measures motivate better defense? Maxim Lagutin, executive director, personal data protection expert of the B-152 company, answers.
“Everyone expects that in late June – early July, a public, almost pre-final bill will appear, which will pass to the State Duma. But what we saw – yes, there are really big fines, from fixed to negotiable. Indeed, several large businesses have started to do something. But while the fines are small. It does not motivate business. Not every business motivates. Usually only the IT business is motivated by this. So so far even I have heard from a few consultants that there is a strategy to pay a small fine before it gets big.”
Judicial practice shows that now companies are fined purely symbolically. For example, recently the World Court of the Savelovsky District of Moscow admitted that the actions of the VK company led to the leakage of data from mail users on Mail.Ru. For this, a fine of 60 thousand rubles was imposed.
Experts noted: last year, the volume of leaked data in Russia increased 40 times compared to 2021. There were about 150 major leaks. Experts attribute the number of cyberattacks on Russian companies, among other things, to the aggravation of the international situation.
